ruby-changes:43799
From: usa <ko1@a...>
Date: Fri, 12 Aug 2016 11:35:57 +0900 (JST)
Subject: [ruby-changes:43799] usa:r55872 (ruby_2_2): merge revision(s) 55427: [Backport #12503]
usa 2016-08-12 11:35:50 +0900 (Fri, 12 Aug 2016) New Revision: 55872 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55872 Log: merge revision(s) 55427: [Backport #12503] * string.c (tr_trans): consider terminator length and fix heap overflow. reported by Guido Vranken <guido AT guidovranken.nl>. Modified directories: branches/ruby_2_2/ Modified files: branches/ruby_2_2/ChangeLog branches/ruby_2_2/string.c branches/ruby_2_2/version.h Index: ruby_2_2/version.h =================================================================== --- ruby_2_2/version.h (revision 55871) +++ ruby_2_2/version.h (revision 55872) @@ -1,9 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1 #define RUBY_VERSION "2.2.6" -#define RUBY_RELEASE_DATE "2016-07-12" -#define RUBY_PATCHLEVEL 344 +#define RUBY_RELEASE_DATE "2016-08-12" +#define RUBY_PATCHLEVEL 345 #define RUBY_RELEASE_YEAR 2016 -#define RUBY_RELEASE_MONTH 7 +#define RUBY_RELEASE_MONTH 8 #define RUBY_RELEASE_DAY 12 #include "ruby/version.h" Index: ruby_2_2/string.c =================================================================== --- ruby_2_2/string.c (revision 55871) +++ ruby_2_2/string.c (revision 55872) @@ -5576,6 +5576,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_2/string.c#L5576 char *s, *send; VALUE hash = 0; int singlebyte = single_byte_optimizable(str); + int termlen; int cr; #define CHECK_IF_ASCII(c) \ @@ -5657,11 +5658,12 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_2/string.c#L5658 cr = ENC_CODERANGE_7BIT; str_modify_keep_cr(str); s = RSTRING_PTR(str); send = RSTRING_END(str); + termlen = rb_enc_mbminlen(enc); if (sflag) { int clen, tlen; long offset, max = RSTRING_LEN(str); unsigned int save = -1; - char *buf = ALLOC_N(char, max), *t = buf; + char *buf = ALLOC_N(char, max + termlen), *t = buf; while (s < send) { int may_modify = 0; @@ -5702,7 +5704,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_2/string.c#L5704 while (t - buf + tlen >= max) { offset = t - buf; max *= 2; - REALLOC_N(buf, char, max); + REALLOC_N(buf, char, max + termlen); t = buf + offset; } rb_enc_mbcput(c, t, enc); @@ -5715,7 +5717,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_2/string.c#L5717 if (!STR_EMBED_P(str)) { ruby_sized_xfree(STR_HEAP_PTR(str), STR_HEAP_SIZE(str)); } - TERM_FILL(t, rb_enc_mbminlen(enc)); + TERM_FILL(t, termlen); RSTRING(str)->as.heap.ptr = buf; RSTRING(str)->as.heap.len = t - buf; STR_SET_NOEMBED(str); @@ -5740,9 +5742,9 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_2/string.c#L5742 } } else { - int clen, tlen, max = (int)(RSTRING_LEN(str) * 1.2); - long offset; - char *buf = ALLOC_N(char, max), *t = buf; + int clen, tlen; + long offset, max = (long)((send - s) * 1.2); + char *buf = ALLOC_N(char, max + termlen), *t = buf; while (s < send) { int may_modify = 0; @@ -5775,7 +5777,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_2/string.c#L5777 while (t - buf + tlen >= max) { offset = t - buf; max *= 2; - REALLOC_N(buf, char, max); + REALLOC_N(buf, char, max + termlen); t = buf + offset; } if (s != t) { @@ -5791,7 +5793,7 @@ tr_trans(VALUE str, VALUE src, VALUE rep https://github.com/ruby/ruby/blob/trunk/ruby_2_2/string.c#L5793 if (!STR_EMBED_P(str)) { ruby_sized_xfree(STR_HEAP_PTR(str), STR_HEAP_SIZE(str)); } - TERM_FILL(t, rb_enc_mbminlen(enc)); + TERM_FILL(t, termlen); RSTRING(str)->as.heap.ptr = buf; RSTRING(str)->as.heap.len = t - buf; STR_SET_NOEMBED(str); Index: ruby_2_2/ChangeLog =================================================================== --- ruby_2_2/ChangeLog (revision 55871) +++ ruby_2_2/ChangeLog (revision 55872) @@ -1,3 +1,8 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1 +Fri Aug 12 11:21:24 2016 Nobuyoshi Nakada <nobu@r...> + + * string.c (tr_trans): consider terminator length and fix heap + overflow. reported by Guido Vranken <guido AT guidovranken.nl>. + Tue Jul 12 00:17:36 2016 NAKAMURA Usaku <usa@r...> * tool/fake.rb: don't fake libdir. use libdirname instead. Property changes on: ruby_2_2 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r55427 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/