ruby-changes:28461
From: shirosaki <ko1@a...>
Date: Sun, 28 Apr 2013 22:21:46 +0900 (JST)
Subject: [ruby-changes:28461] shirosaki:r40513 (trunk): ossl_bn.c: fix ossl_bn_initialize bug with integer
shirosaki 2013-04-28 22:20:11 +0900 (Sun, 28 Apr 2013) New Revision: 40513 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=40513 Log: ossl_bn.c: fix ossl_bn_initialize bug with integer * ext/openssl/ossl_bn.c (ossl_bn_initialize): fix buffer overflow on x64 Windows and memory leak when initializing with integer. [ruby-core:54615] [Bug #8337] Modified files: trunk/ChangeLog trunk/ext/openssl/ossl_bn.c Index: ChangeLog =================================================================== --- ChangeLog (revision 40512) +++ ChangeLog (revision 40513) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Sun Apr 28 22:04:37 2013 Hiroshi Shirosaki <h.shirosaki@g...> + + * ext/openssl/ossl_bn.c (ossl_bn_initialize): fix buffer overflow on + x64 Windows and memory leak when initializing with integer. + [ruby-core:54615] [Bug #8337] + Sun Apr 28 12:38:04 2013 Nobuyoshi Nakada <nobu@r...> * README.EXT: correct method name to be used. [Bug #7982] Index: ext/openssl/ossl_bn.c =================================================================== --- ext/openssl/ossl_bn.c (revision 40512) +++ ext/openssl/ossl_bn.c (revision 40513) @@ -123,11 +123,11 @@ ossl_bn_initialize(int argc, VALUE *argv https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_bn.c#L123 if (RB_TYPE_P(str, T_FIXNUM)) { long i; - unsigned char *bin = (unsigned char*)ALLOC_N(long, 1); + unsigned char *bin = (unsigned char*)ALLOCA_N(long, 1); long n = FIX2LONG(str); unsigned long un = labs(n); - for (i = sizeof(VALUE) - 1; 0 <= i; i--) { + for (i = sizeof(long) - 1; 0 <= i; i--) { bin[i] = un&0xff; un >>= 8; } @@ -154,8 +154,10 @@ ossl_bn_initialize(int argc, VALUE *argv https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_bn.c#L154 GetBN(self, bn); if (!BN_bin2bn(bin, (int)sizeof(BDIGIT)*RBIGNUM_LENINT(str), bn)) { + xfree(bin); ossl_raise(eBNError, NULL); } + xfree(bin); if (!RBIGNUM_SIGN(str)) BN_set_negative(bn, 1); return self; } -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/