[前][次][番号順一覧][スレッド一覧]

ruby-changes:44075

From: rhe <ko1@a...>
Date: Tue, 13 Sep 2016 16:08:21 +0900 (JST)
Subject: [ruby-changes:44075] rhe:r56148 (trunk): string.c: fix buffer overflow check condition in rb_str_set_len()

rhe	2016-09-13 16:08:15 +0900 (Tue, 13 Sep 2016)

  New Revision: 56148

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=56148

  Log:
    string.c: fix buffer overflow check condition in rb_str_set_len()
    
    * string.c (rb_str_set_len): The buffer overflow check is wrong. The
      space for termlen is allocated outside the capacity returned by
      rb_str_capacity(). This fixes r41920 ("string.c: multi-byte
      terminator", 2013-07-11).  [ruby-core:77257] [Bug #12757]
    
    * test/-ext-/string/test_set_len.rb (test_capacity_equals_to_new_size):
      Test for this change. Applying only the test will trigger [BUG].

  Modified files:
    trunk/ChangeLog
    trunk/string.c
    trunk/test/-ext-/string/test_set_len.rb
Index: test/-ext-/string/test_set_len.rb
===================================================================
--- test/-ext-/string/test_set_len.rb	(revision 56147)
+++ test/-ext-/string/test_set_len.rb	(revision 56148)
@@ -23,4 +23,13 @@ class Test_StrSetLen < Test::Unit::TestC https://github.com/ruby/ruby/blob/trunk/test/-ext-/string/test_set_len.rb#L23
       assert_equal("abc", @s1.set_len(3))
     }
   end
+
+  def test_capacity_equals_to_new_size
+    bug12757 = "[ruby-core:77257] [Bug #12757]"
+    # fill to ensure capacity does not decrease with force_encoding
+    str = Bug::String.new("\x00" * 128, capacity: 128)
+    str.force_encoding("UTF-32BE")
+    assert_equal 128, Bug::String.capacity(str)
+    assert_equal 127, str.set_len(127).bytesize, bug12757
+  end
 end
Index: ChangeLog
===================================================================
--- ChangeLog	(revision 56147)
+++ ChangeLog	(revision 56148)
@@ -1,3 +1,13 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1
+Tue Sep 13 16:07:26 2016  Kazuki Yamaguchi  <k@r...>
+
+	* string.c (rb_str_set_len): The buffer overflow check is wrong. The
+	  space for termlen is allocated outside the capacity returned by
+	  rb_str_capacity(). This fixes r41920 ("string.c: multi-byte
+	  terminator", 2013-07-11).  [ruby-core:77257] [Bug #12757]
+
+	* test/-ext-/string/test_set_len.rb (test_capacity_equals_to_new_size):
+	  Test for this change. Applying only the test will trigger [BUG].
+
 Tue Sep 13 06:03:34 2016  NARUSE, Yui  <naruse@r...>
 
 	* common.mk (benchmark): fix lib path.
Index: string.c
===================================================================
--- string.c	(revision 56147)
+++ string.c	(revision 56148)
@@ -2497,7 +2497,7 @@ rb_str_set_len(VALUE str, long len) https://github.com/ruby/ruby/blob/trunk/string.c#L2497
     if (STR_SHARED_P(str)) {
 	rb_raise(rb_eRuntimeError, "can't set length of shared string");
     }
-    if (len + termlen - 1 > (capa = (long)rb_str_capacity(str))) {
+    if (len > (capa = (long)str_capacity(str, termlen))) {
 	rb_bug("probable buffer overflow: %ld for %ld", len, capa);
     }
     STR_SET_LEN(str, len);

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]