ruby-changes:39418
From: nobu <ko1@a...>
Date: Thu, 6 Aug 2015 10:50:10 +0900 (JST)
Subject: [ruby-changes:39418] nobu:r51499 (trunk): node.c: check size
nobu 2015-08-06 10:50:00 +0900 (Thu, 06 Aug 2015) New Revision: 51499 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=51499 Log: node.c: check size * node.c (rb_alloc_tmp_buffer): round up the size and check the range. Modified files: trunk/ChangeLog trunk/node.c Index: ChangeLog =================================================================== --- ChangeLog (revision 51498) +++ ChangeLog (revision 51499) @@ -1,4 +1,7 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 -Thu Aug 6 10:44:00 2015 Nobuyoshi Nakada <nobu@r...> +Thu Aug 6 10:49:57 2015 Nobuyoshi Nakada <nobu@r...> + + * node.c (rb_alloc_tmp_buffer): round up the size and check the + range. * ruby_atomic.h (ATOMIC_VALUE_EXCHANGE, ATOMIC_VALUE_CAS): add atomic operations for VALUE. Index: node.c =================================================================== --- node.c (revision 51498) +++ node.c (revision 51499) @@ -1079,10 +1079,18 @@ rb_gc_mark_node(NODE *obj) https://github.com/ruby/ruby/blob/trunk/node.c#L1079 void * rb_alloc_tmp_buffer(volatile VALUE *store, long len) { - NODE *s = rb_node_newnode(NODE_ALLOCA, 0, 0, 0); - void *ptr = xmalloc(len); - s->u1.node = ptr; - s->u3.cnt = len / sizeof(VALUE); + NODE *s; + long cnt; + void *ptr; + + if (len < 0 || (cnt = (long)roomof(len, sizeof(VALUE))) < 0) { + rb_raise(rb_eArgError, "negative buffer size (or size too big)"); + } + + s = rb_node_newnode(NODE_ALLOCA, 0, 0, 0); + ptr = xmalloc(cnt * sizeof(VALUE)); + s->u1.value = (VALUE)ptr; + s->u3.cnt = cnt; *store = (VALUE)s; return ptr; } -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/