ruby-changes:20975
From: nahi <ko1@a...>
Date: Tue, 23 Aug 2011 11:42:32 +0900 (JST)
Subject: [ruby-changes:20975] nahi:r33023 (trunk): * ext/zlib/zlib.c (gzfile_read_header): Ensure that each section of
nahi 2011-08-23 11:36:13 +0900 (Tue, 23 Aug 2011) New Revision: 33023 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=33023 Log: * ext/zlib/zlib.c (gzfile_read_header): Ensure that each section of gzip header is readable to avoid SEGV. * test/zlib/test_zlib.rb (test_corrupted_header): Test it. Modified files: trunk/ChangeLog trunk/ext/zlib/zlib.c trunk/test/zlib/test_zlib.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 33022) +++ ChangeLog (revision 33023) @@ -1,3 +1,10 @@ +Tue Aug 23 11:27:26 2011 Hiroshi Nakamura <nahi@r...> + + * ext/zlib/zlib.c (gzfile_read_header): Ensure that each section of + gzip header is readable to avoid SEGV. + + * test/zlib/test_zlib.rb (test_corrupted_header): Test it. + Mon Aug 22 23:43:33 2011 CHIKANAGA Tomoyuki <nagachika00@g...> * sprintf.c (rb_str_format): add RB_GC_GUARD to prevent temporary Index: ext/zlib/zlib.c =================================================================== --- ext/zlib/zlib.c (revision 33022) +++ ext/zlib/zlib.c (revision 33023) @@ -2306,6 +2306,9 @@ zstream_discard_input(&gz->z, 2 + len); } if (flags & GZ_FLAG_ORIG_NAME) { + if (!gzfile_read_raw_ensure(gz, 1)) { + rb_raise(cGzError, "unexpected end of file"); + } p = gzfile_read_raw_until_zero(gz, 0); len = p - RSTRING_PTR(gz->z.input); gz->orig_name = rb_str_new(RSTRING_PTR(gz->z.input), len); @@ -2313,6 +2316,9 @@ zstream_discard_input(&gz->z, len + 1); } if (flags & GZ_FLAG_COMMENT) { + if (!gzfile_read_raw_ensure(gz, 1)) { + rb_raise(cGzError, "unexpected end of file"); + } p = gzfile_read_raw_until_zero(gz, 0); len = p - RSTRING_PTR(gz->z.input); gz->comment = rb_str_new(RSTRING_PTR(gz->z.input), len); Index: test/zlib/test_zlib.rb =================================================================== --- test/zlib/test_zlib.rb (revision 33022) +++ test/zlib/test_zlib.rb (revision 33023) @@ -694,6 +694,20 @@ assert_equal("foo", Zlib::GzipReader.wrap(f) {|gz| gz.read }) assert_raise(IOError) { f.close } end + + def test_corrupted_header + gz = Zlib::GzipWriter.new(StringIO.new(s = "")) + gz.orig_name = "X" + gz.comment = "Y" + gz.print("foo") + gz.finish + # 14: magic(2) + method(1) + flag(1) + mtime(4) + exflag(1) + os(1) + orig_name(2) + comment(2) + 1.upto(14) do |idx| + assert_raise(Zlib::GzipFile::Error, idx) do + Zlib::GzipReader.new(StringIO.new(s[0, idx])).read + end + end + end end class TestZlibGzipWriter < Test::Unit::TestCase -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/