ruby-changes:43278
From: usa <ko1@a...>
Date: Fri, 10 Jun 2016 15:59:03 +0900 (JST)
Subject: [ruby-changes:43278] usa:r55352 (ruby_2_2): merge revision(s) 55054: [Backport #12390]
usa 2016-06-10 15:58:57 +0900 (Fri, 10 Jun 2016) New Revision: 55352 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55352 Log: merge revision(s) 55054: [Backport #12390] * string.c (rb_str_modify_expand): check integer overflow. [ruby-core:75592] [Bug #12390] Modified directories: branches/ruby_2_2/ Modified files: branches/ruby_2_2/ChangeLog branches/ruby_2_2/string.c branches/ruby_2_2/test/-ext-/string/test_modify_expand.rb branches/ruby_2_2/version.h Index: ruby_2_2/version.h =================================================================== --- ruby_2_2/version.h (revision 55351) +++ ruby_2_2/version.h (revision 55352) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1 #define RUBY_VERSION "2.2.6" #define RUBY_RELEASE_DATE "2016-06-10" -#define RUBY_PATCHLEVEL 327 +#define RUBY_PATCHLEVEL 328 #define RUBY_RELEASE_YEAR 2016 #define RUBY_RELEASE_MONTH 6 Index: ruby_2_2/string.c =================================================================== --- ruby_2_2/string.c (revision 55351) +++ ruby_2_2/string.c (revision 55352) @@ -1635,6 +1635,9 @@ rb_str_modify_expand(VALUE str, long exp https://github.com/ruby/ruby/blob/trunk/ruby_2_2/string.c#L1635 long len = RSTRING_LEN(str); long capa = len + expand; int termlen = TERM_LEN(str); + if (expand >= LONG_MAX - len - termlen) { + rb_raise(rb_eArgError, "string size too big"); + } if (!STR_EMBED_P(str)) { REALLOC_N(RSTRING(str)->as.heap.ptr, char, capa + termlen); RSTRING(str)->as.heap.aux.capa = capa; Index: ruby_2_2/ChangeLog =================================================================== --- ruby_2_2/ChangeLog (revision 55351) +++ ruby_2_2/ChangeLog (revision 55352) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1 +Fri Jun 10 15:56:24 2016 Nobuyoshi Nakada <nobu@r...> + + * string.c (rb_str_modify_expand): check integer overflow. + [ruby-core:75592] [Bug #12390] + Fri Jun 10 15:54:05 2016 Benoit Daloze <eregontp@g...> * insns.def (defineclass): Also raise an error when redeclaring the Index: ruby_2_2/test/-ext-/string/test_modify_expand.rb =================================================================== --- ruby_2_2/test/-ext-/string/test_modify_expand.rb (revision 55351) +++ ruby_2_2/test/-ext-/string/test_modify_expand.rb (revision 55352) @@ -12,4 +12,13 @@ class Test_StringModifyExpand < Test::Un https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/-ext-/string/test_modify_expand.rb#L12 s.replace("") CMD end + + def test_integer_overflow + bug12390 = '[ruby-core:75592] [Bug #12390]' + s = Bug::String.new + long_max = (1 << (8 * RbConfig::SIZEOF['long'] - 1)) - 1 + assert_raise(ArgumentError, bug12390) { + s.modify_expand!(long_max) + } + end end Property changes on: ruby_2_2 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r55054 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/