[前][次][番号順一覧][スレッド一覧]

ruby-changes:42980

From: nobu <ko1@a...>
Date: Wed, 18 May 2016 14:52:45 +0900 (JST)
Subject: [ruby-changes:42980] nobu:r55054 (trunk): string.c: integer overflow

nobu	2016-05-18 14:52:40 +0900 (Wed, 18 May 2016)

  New Revision: 55054

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55054

  Log:
    string.c: integer overflow
    
    * string.c (rb_str_modify_expand): check integer overflow.
      [ruby-core:75592] [Bug #12390]

  Modified files:
    trunk/ChangeLog
    trunk/string.c
    trunk/test/-ext-/string/test_modify_expand.rb
Index: test/-ext-/string/test_modify_expand.rb
===================================================================
--- test/-ext-/string/test_modify_expand.rb	(revision 55053)
+++ test/-ext-/string/test_modify_expand.rb	(revision 55054)
@@ -13,4 +13,13 @@ class Test_StringModifyExpand < Test::Un https://github.com/ruby/ruby/blob/trunk/test/-ext-/string/test_modify_expand.rb#L13
       s.replace("")
     CMD
   end
+
+  def test_integer_overflow
+    bug12390 = '[ruby-core:75592] [Bug #12390]'
+    s = Bug::String.new
+    long_max = (1 << (8 * RbConfig::SIZEOF['long'] - 1)) - 1
+    assert_raise(ArgumentError, bug12390) {
+      s.modify_expand!(long_max)
+    }
+  end
 end
Index: string.c
===================================================================
--- string.c	(revision 55053)
+++ string.c	(revision 55054)
@@ -1914,6 +1914,9 @@ rb_str_modify_expand(VALUE str, long exp https://github.com/ruby/ruby/blob/trunk/string.c#L1914
     else if (expand > 0) {
 	long len = RSTRING_LEN(str);
 	long capa = len + expand;
+	if (expand >= LONG_MAX - len - termlen) {
+	    rb_raise(rb_eArgError, "string size too big");
+	}
 	if (!STR_EMBED_P(str)) {
 	    REALLOC_N(RSTRING(str)->as.heap.ptr, char, capa + termlen);
 	    RSTRING(str)->as.heap.aux.capa = capa;
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 55053)
+++ ChangeLog	(revision 55054)
@@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Wed May 18 14:52:38 2016  Nobuyoshi Nakada  <nobu@r...>
+
+	* string.c (rb_str_modify_expand): check integer overflow.
+	  [ruby-core:75592] [Bug #12390]
+
 Wed May 18 13:11:44 2016  NARUSE, Yui  <naruse@r...>
 
 	* re.c (match_ary_subseq): get subseq of match array without creating

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]