ruby-changes:55029
From: nagachika <ko1@a...>
Date: Wed, 13 Mar 2019 07:01:37 +0900 (JST)
Subject: [ruby-changes:55029] nagachika:r67236 (ruby_2_5): merge revision(s) 66832: [Backport #15536]
nagachika 2019-03-13 07:01:32 +0900 (Wed, 13 Mar 2019) New Revision: 67236 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=67236 Log: merge revision(s) 66832: [Backport #15536] st.c (rb_hash_bulk_insert_into_st_table): avoid out-of-bounds write "hash_bulk_insert" first expands the table, but the target size was wrong: it was calculated by "num_entries + (size to buld insert)", but it was wrong when "num_entries < entries_bound", i.e., it has a deleted entry. "hash_bulk_insert" adds the given entries from entries_bound, which led to out-of-bounds write access. [Bug #15536] As a simple fix, this commit changes the calculation to "entries_bound + size". I'm afraid if this might be inefficient, but I think it is safe anyway. Modified directories: branches/ruby_2_5/ Modified files: branches/ruby_2_5/bootstraptest/test_literal.rb branches/ruby_2_5/st.c branches/ruby_2_5/version.h Index: ruby_2_5/st.c =================================================================== --- ruby_2_5/st.c (revision 67235) +++ ruby_2_5/st.c (revision 67236) @@ -2292,7 +2292,7 @@ rb_hash_bulk_insert(long argc, const VAL https://github.com/ruby/ruby/blob/trunk/ruby_2_5/st.c#L2292 RHASH(hash)->ntbl = tab = RHASH(tmp)->ntbl; RHASH(tmp)->ntbl = NULL; } - n = tab->num_entries + argc / 2; + n = tab->entries_bound + argc / 2; st_expand_table(tab, n); if (UNLIKELY(tab->num_entries)) st_insert_generic(tab, argc, argv, hash); Index: ruby_2_5/bootstraptest/test_literal.rb =================================================================== --- ruby_2_5/bootstraptest/test_literal.rb (revision 67235) +++ ruby_2_5/bootstraptest/test_literal.rb (revision 67236) @@ -223,6 +223,24 @@ assert_equal 'ok', %q{ # long hash lite https://github.com/ruby/ruby/blob/trunk/ruby_2_5/bootstraptest/test_literal.rb#L223 :ok } +assert_equal 'ok', %q{ # Bug #15536 + eval <<-END + { + **{ + a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil, + }, + a0: nil, a1: nil, a2: nil, a3: nil, a4: nil, a5: nil, a6: nil, a7: nil, a8: nil, + **{ + c: nil + }, + b0: nil, b1: nil, b2: nil, b3: nil, b4: nil, b5: nil, b6: nil, b7: nil, b8: nil, + b9: nil, b10: nil, b11: nil, b12: nil, b13: nil, b14: nil, b15: nil, b16: nil, + b17: nil, b18: nil, b19: nil, b20: nil, b21: nil, + } + END + :ok +} + assert_equal 'ok', %q{ [print(:ok), exit] # void literal with side-effect :dummy Index: ruby_2_5/version.h =================================================================== --- ruby_2_5/version.h (revision 67235) +++ ruby_2_5/version.h (revision 67236) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_5/version.h#L1 #define RUBY_VERSION "2.5.4" #define RUBY_RELEASE_DATE "2019-03-13" -#define RUBY_PATCHLEVEL 148 +#define RUBY_PATCHLEVEL 149 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 3 Index: ruby_2_5 =================================================================== --- ruby_2_5 (revision 67235) +++ ruby_2_5 (revision 67236) Property changes on: ruby_2_5 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /trunk:r66832 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/