ruby-changes:42980
From: nobu <ko1@a...>
Date: Wed, 18 May 2016 14:52:45 +0900 (JST)
Subject: [ruby-changes:42980] nobu:r55054 (trunk): string.c: integer overflow
nobu 2016-05-18 14:52:40 +0900 (Wed, 18 May 2016) New Revision: 55054 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55054 Log: string.c: integer overflow * string.c (rb_str_modify_expand): check integer overflow. [ruby-core:75592] [Bug #12390] Modified files: trunk/ChangeLog trunk/string.c trunk/test/-ext-/string/test_modify_expand.rb Index: test/-ext-/string/test_modify_expand.rb =================================================================== --- test/-ext-/string/test_modify_expand.rb (revision 55053) +++ test/-ext-/string/test_modify_expand.rb (revision 55054) @@ -13,4 +13,13 @@ class Test_StringModifyExpand < Test::Un https://github.com/ruby/ruby/blob/trunk/test/-ext-/string/test_modify_expand.rb#L13 s.replace("") CMD end + + def test_integer_overflow + bug12390 = '[ruby-core:75592] [Bug #12390]' + s = Bug::String.new + long_max = (1 << (8 * RbConfig::SIZEOF['long'] - 1)) - 1 + assert_raise(ArgumentError, bug12390) { + s.modify_expand!(long_max) + } + end end Index: string.c =================================================================== --- string.c (revision 55053) +++ string.c (revision 55054) @@ -1914,6 +1914,9 @@ rb_str_modify_expand(VALUE str, long exp https://github.com/ruby/ruby/blob/trunk/string.c#L1914 else if (expand > 0) { long len = RSTRING_LEN(str); long capa = len + expand; + if (expand >= LONG_MAX - len - termlen) { + rb_raise(rb_eArgError, "string size too big"); + } if (!STR_EMBED_P(str)) { REALLOC_N(RSTRING(str)->as.heap.ptr, char, capa + termlen); RSTRING(str)->as.heap.aux.capa = capa; Index: ChangeLog =================================================================== --- ChangeLog (revision 55053) +++ ChangeLog (revision 55054) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Wed May 18 14:52:38 2016 Nobuyoshi Nakada <nobu@r...> + + * string.c (rb_str_modify_expand): check integer overflow. + [ruby-core:75592] [Bug #12390] + Wed May 18 13:11:44 2016 NARUSE, Yui <naruse@r...> * re.c (match_ary_subseq): get subseq of match array without creating -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/