ruby-changes:39392
From: nagachika <ko1@a...>
Date: Tue, 4 Aug 2015 03:39:31 +0900 (JST)
Subject: [ruby-changes:39392] nagachika:r51473 (ruby_2_2): merge revision(s) 50827, 50921: [Backport #11235]
nagachika 2015-08-04 03:39:09 +0900 (Tue, 04 Aug 2015) New Revision: 51473 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=51473 Log: merge revision(s) 50827,50921: [Backport #11235] * array.c (ary_ensure_room_for_push): check if array size will exceed maxmum size to get rid of buffer overflow. [ruby-dev:49043] [Bug #11235] * array.c (ary_ensure_room_for_unshift, rb_ary_splice): ditto. exceed maximum size to get rid of buffer overflow. Modified directories: branches/ruby_2_2/ Modified files: branches/ruby_2_2/ChangeLog branches/ruby_2_2/array.c branches/ruby_2_2/test/ruby/test_array.rb branches/ruby_2_2/version.h Index: ruby_2_2/array.c =================================================================== --- ruby_2_2/array.c (revision 51472) +++ ruby_2_2/array.c (revision 51473) @@ -353,9 +353,13 @@ rb_ary_modify(VALUE ary) https://github.com/ruby/ruby/blob/trunk/ruby_2_2/array.c#L353 static VALUE ary_ensure_room_for_push(VALUE ary, long add_len) { - long new_len = RARRAY_LEN(ary) + add_len; + long old_len = RARRAY_LEN(ary); + long new_len = old_len + add_len; long capa; + if (old_len > ARY_MAX_SIZE - add_len) { + rb_raise(rb_eIndexError, "index %ld too big", new_len); + } if (ARY_SHARED_P(ary)) { if (new_len > RARRAY_EMBED_LEN_MAX) { VALUE shared = ARY_SHARED(ary); @@ -1088,6 +1092,10 @@ ary_ensure_room_for_unshift(VALUE ary, i https://github.com/ruby/ruby/blob/trunk/ruby_2_2/array.c#L1092 long capa; const VALUE *head, *sharedp; + if (len > ARY_MAX_SIZE - argc) { + rb_raise(rb_eIndexError, "index %ld too big", new_len); + } + if (ARY_SHARED_P(ary)) { VALUE shared = ARY_SHARED(ary); capa = RARRAY_LEN(shared); @@ -1585,6 +1593,9 @@ rb_ary_splice(VALUE ary, long beg, long https://github.com/ruby/ruby/blob/trunk/ruby_2_2/array.c#L1593 else { long alen; + if (olen - len > ARY_MAX_SIZE - rlen) { + rb_raise(rb_eIndexError, "index %ld too big", olen + rlen - len); + } rb_ary_modify(ary); alen = olen + rlen - len; if (alen >= ARY_CAPA(ary)) { Index: ruby_2_2/ChangeLog =================================================================== --- ruby_2_2/ChangeLog (revision 51472) +++ ruby_2_2/ChangeLog (revision 51473) @@ -1,3 +1,11 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1 +Tue Aug 4 03:13:59 2015 Nobuyoshi Nakada <nobu@r...> + + * array.c (ary_ensure_room_for_push): check if array size will + exceed maximum size to get rid of buffer overflow. + [ruby-dev:49043] [Bug #11235] + + * array.c (ary_ensure_room_for_unshift, rb_ary_splice): ditto. + Sat Jul 4 23:08:32 2015 Nobuyoshi Nakada <nobu@r...> * file.c (rb_file_load_ok): try opening file without gvl not to Index: ruby_2_2/version.h =================================================================== --- ruby_2_2/version.h (revision 51472) +++ ruby_2_2/version.h (revision 51473) @@ -1,9 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1 #define RUBY_VERSION "2.2.3" -#define RUBY_RELEASE_DATE "2015-07-04" -#define RUBY_PATCHLEVEL 147 +#define RUBY_RELEASE_DATE "2015-08-04" +#define RUBY_PATCHLEVEL 148 #define RUBY_RELEASE_YEAR 2015 -#define RUBY_RELEASE_MONTH 7 +#define RUBY_RELEASE_MONTH 8 #define RUBY_RELEASE_DAY 4 #include "ruby/version.h" Index: ruby_2_2/test/ruby/test_array.rb =================================================================== --- ruby_2_2/test/ruby/test_array.rb (revision 51472) +++ ruby_2_2/test/ruby/test_array.rb (revision 51473) @@ -2496,6 +2496,34 @@ class TestArray < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/ruby/test_array.rb#L2496 end end + sizeof_long = [0].pack("l!").size + sizeof_voidp = [""].pack("p").size + if sizeof_long < sizeof_voidp + ARY_MAX = (1<<(8*sizeof_long-1)) / sizeof_voidp - 1 + Bug11235 = '[ruby-dev:49043] [Bug #11235]' + + def test_push_over_ary_max + assert_separately(['-', ARY_MAX.to_s, Bug11235], <<-"end;") + a = Array.new(ARGV[0].to_i) + assert_raise(IndexError, ARGV[1]) {0x1000.times {a.push(1)}} + end; + end + + def test_unshift_over_ary_max + assert_separately(['-', ARY_MAX.to_s, Bug11235], <<-"end;") + a = Array.new(ARGV[0].to_i) + assert_raise(IndexError, ARGV[1]) {0x1000.times {a.unshift(1)}} + end; + end + + def test_splice_over_ary_max + assert_separately(['-', ARY_MAX.to_s, Bug11235], <<-"end;") + a = Array.new(ARGV[0].to_i) + assert_raise(IndexError, ARGV[1]) {a[0, 0] = Array.new(0x1000)} + end; + end + end + private def need_continuation unless respond_to?(:callcc, true) Property changes on: ruby_2_2 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r50827,50921 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/