ruby-changes:23229
From: nobu <ko1@a...>
Date: Tue, 10 Apr 2012 16:26:44 +0900 (JST)
Subject: [ruby-changes:23229] nobu:r35279 (trunk): rb_str_format: check overflow
nobu 2012-04-10 16:26:35 +0900 (Tue, 10 Apr 2012) New Revision: 35279 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=35279 Log: rb_str_format: check overflow * sprintf.c (rb_str_format): check overflow at too long name. Modified files: trunk/sprintf.c Index: sprintf.c =================================================================== --- sprintf.c (revision 35278) +++ sprintf.c (revision 35279) @@ -566,6 +566,7 @@ { const char *start = p; char term = (*p == '<') ? '>' : '}'; + int len; for (; p < end && *p != term; ) { p += rb_enc_mbclen(p, end, enc); @@ -573,14 +574,23 @@ if (p >= end) { rb_raise(rb_eArgError, "malformed name - unmatched parenthesis"); } +#if SIZEOF_INT < SIZEOF_SIZE_T + if ((size_t)(p - start) >= INT_MAX) { + const int message_limit = 20; + len = (int)(rb_enc_right_char_head(start, start + message_limit, p, enc) - start); + rb_raise(rb_eArgError, "too long name (%"PRIdSIZE" bytes) - %.*s...%c", + (size_t)(p - start - 2), len, start, term); + } +#endif + len = (int)(p - start + 1); /* including parenthesis */ if (id) { rb_raise(rb_eArgError, "name%.*s after <%s>", - (int)(p - start + 1), start, rb_id2name(id)); + len, start, rb_id2name(id)); } - id = rb_intern3(start + 1, p - start - 1, enc); - nextvalue = GETNAMEARG(ID2SYM(id), start, (int)(p - start + 1)); + id = rb_intern3(start + 1, len - 2 /* without parenthesis */, enc); + nextvalue = GETNAMEARG(ID2SYM(id), start, len); if (nextvalue == Qundef) { - rb_raise(rb_eKeyError, "key%.*s not found", (int)(p - start + 1), start); + rb_raise(rb_eKeyError, "key%.*s not found", len, start); } if (term == '}') goto format_s; p++; -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/