ruby-changes:43352
From: nagachika <ko1@a...>
Date: Thu, 16 Jun 2016 01:05:09 +0900 (JST)
Subject: [ruby-changes:43352] nagachika:r55426 (ruby_2_3): merge revision(s) 55054: [Backport #12390]
nagachika 2016-06-16 01:05:04 +0900 (Thu, 16 Jun 2016) New Revision: 55426 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55426 Log: merge revision(s) 55054: [Backport #12390] * string.c (rb_str_modify_expand): check integer overflow. [ruby-core:75592] [Bug #12390] Modified directories: branches/ruby_2_3/ Modified files: branches/ruby_2_3/ChangeLog branches/ruby_2_3/string.c branches/ruby_2_3/test/-ext-/string/test_modify_expand.rb branches/ruby_2_3/version.h Index: ruby_2_3/version.h =================================================================== --- ruby_2_3/version.h (revision 55425) +++ ruby_2_3/version.h (revision 55426) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_3/version.h#L1 #define RUBY_VERSION "2.3.2" #define RUBY_RELEASE_DATE "2016-06-16" -#define RUBY_PATCHLEVEL 131 +#define RUBY_PATCHLEVEL 132 #define RUBY_RELEASE_YEAR 2016 #define RUBY_RELEASE_MONTH 6 Index: ruby_2_3/ChangeLog =================================================================== --- ruby_2_3/ChangeLog (revision 55425) +++ ruby_2_3/ChangeLog (revision 55426) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_3/ChangeLog#L1 +Thu Jun 16 00:42:56 2016 Nobuyoshi Nakada <nobu@r...> + + * string.c (rb_str_modify_expand): check integer overflow. + [ruby-core:75592] [Bug #12390] + Thu Jun 16 00:29:29 2016 Nobuyoshi Nakada <nobu@r...> * vm_insnhelper.c (vm_get_ev_const): warn deprecated constant even Index: ruby_2_3/string.c =================================================================== --- ruby_2_3/string.c (revision 55425) +++ ruby_2_3/string.c (revision 55426) @@ -1820,6 +1820,9 @@ rb_str_modify_expand(VALUE str, long exp https://github.com/ruby/ruby/blob/trunk/ruby_2_3/string.c#L1820 else if (expand > 0) { long len = RSTRING_LEN(str); long capa = len + expand; + if (expand >= LONG_MAX - len - termlen) { + rb_raise(rb_eArgError, "string size too big"); + } if (!STR_EMBED_P(str)) { REALLOC_N(RSTRING(str)->as.heap.ptr, char, capa + termlen); RSTRING(str)->as.heap.aux.capa = capa; Index: ruby_2_3/test/-ext-/string/test_modify_expand.rb =================================================================== --- ruby_2_3/test/-ext-/string/test_modify_expand.rb (revision 55425) +++ ruby_2_3/test/-ext-/string/test_modify_expand.rb (revision 55426) @@ -13,4 +13,13 @@ class Test_StringModifyExpand < Test::Un https://github.com/ruby/ruby/blob/trunk/ruby_2_3/test/-ext-/string/test_modify_expand.rb#L13 s.replace("") CMD end + + def test_integer_overflow + bug12390 = '[ruby-core:75592] [Bug #12390]' + s = Bug::String.new + long_max = (1 << (8 * RbConfig::SIZEOF['long'] - 1)) - 1 + assert_raise(ArgumentError, bug12390) { + s.modify_expand!(long_max) + } + end end Property changes on: ruby_2_3 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r55054 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/