ruby-changes:44075
From: rhe <ko1@a...>
Date: Tue, 13 Sep 2016 16:08:21 +0900 (JST)
Subject: [ruby-changes:44075] rhe:r56148 (trunk): string.c: fix buffer overflow check condition in rb_str_set_len()
rhe 2016-09-13 16:08:15 +0900 (Tue, 13 Sep 2016) New Revision: 56148 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=56148 Log: string.c: fix buffer overflow check condition in rb_str_set_len() * string.c (rb_str_set_len): The buffer overflow check is wrong. The space for termlen is allocated outside the capacity returned by rb_str_capacity(). This fixes r41920 ("string.c: multi-byte terminator", 2013-07-11). [ruby-core:77257] [Bug #12757] * test/-ext-/string/test_set_len.rb (test_capacity_equals_to_new_size): Test for this change. Applying only the test will trigger [BUG]. Modified files: trunk/ChangeLog trunk/string.c trunk/test/-ext-/string/test_set_len.rb Index: test/-ext-/string/test_set_len.rb =================================================================== --- test/-ext-/string/test_set_len.rb (revision 56147) +++ test/-ext-/string/test_set_len.rb (revision 56148) @@ -23,4 +23,13 @@ class Test_StrSetLen < Test::Unit::TestC https://github.com/ruby/ruby/blob/trunk/test/-ext-/string/test_set_len.rb#L23 assert_equal("abc", @s1.set_len(3)) } end + + def test_capacity_equals_to_new_size + bug12757 = "[ruby-core:77257] [Bug #12757]" + # fill to ensure capacity does not decrease with force_encoding + str = Bug::String.new("\x00" * 128, capacity: 128) + str.force_encoding("UTF-32BE") + assert_equal 128, Bug::String.capacity(str) + assert_equal 127, str.set_len(127).bytesize, bug12757 + end end Index: ChangeLog =================================================================== --- ChangeLog (revision 56147) +++ ChangeLog (revision 56148) @@ -1,3 +1,13 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Tue Sep 13 16:07:26 2016 Kazuki Yamaguchi <k@r...> + + * string.c (rb_str_set_len): The buffer overflow check is wrong. The + space for termlen is allocated outside the capacity returned by + rb_str_capacity(). This fixes r41920 ("string.c: multi-byte + terminator", 2013-07-11). [ruby-core:77257] [Bug #12757] + + * test/-ext-/string/test_set_len.rb (test_capacity_equals_to_new_size): + Test for this change. Applying only the test will trigger [BUG]. + Tue Sep 13 06:03:34 2016 NARUSE, Yui <naruse@r...> * common.mk (benchmark): fix lib path. Index: string.c =================================================================== --- string.c (revision 56147) +++ string.c (revision 56148) @@ -2497,7 +2497,7 @@ rb_str_set_len(VALUE str, long len) https://github.com/ruby/ruby/blob/trunk/string.c#L2497 if (STR_SHARED_P(str)) { rb_raise(rb_eRuntimeError, "can't set length of shared string"); } - if (len + termlen - 1 > (capa = (long)rb_str_capacity(str))) { + if (len > (capa = (long)str_capacity(str, termlen))) { rb_bug("probable buffer overflow: %ld for %ld", len, capa); } STR_SET_LEN(str, len); -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/