ruby-changes:45147
From: usa <ko1@a...>
Date: Tue, 27 Dec 2016 20:03:55 +0900 (JST)
Subject: [ruby-changes:45147] usa:r57220 (ruby_2_2): merge revision(s) 57119: [Backport #13052]
usa 2016-12-27 20:03:50 +0900 (Tue, 27 Dec 2016) New Revision: 57220 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=57220 Log: merge revision(s) 57119: [Backport #13052] array.c: check array length every time after yielding Since the Array may be modified during rb_yield(), the length before invoking the block can't be trusted. Fix possible out-of-bounds read in Array#combination and Array#repeated_combination. It may better to make a defensive copy of the Array, but for now let's follow what Array#permutation does. [ruby-core:78738] [Bug #13052] Modified directories: branches/ruby_2_2/ Modified files: branches/ruby_2_2/ChangeLog branches/ruby_2_2/array.c branches/ruby_2_2/test/ruby/test_array.rb branches/ruby_2_2/version.h Index: ruby_2_2/array.c =================================================================== --- ruby_2_2/array.c (revision 57219) +++ ruby_2_2/array.c (revision 57220) @@ -4985,7 +4985,7 @@ rb_ary_combination(VALUE ary, VALUE num) https://github.com/ruby/ruby/blob/trunk/ruby_2_2/array.c#L4985 rb_yield(rb_ary_new2(0)); } else if (n == 1) { - for (i = 0; i < len; i++) { + for (i = 0; i < RARRAY_LEN(ary); i++) { rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i))); } } @@ -5184,7 +5184,7 @@ rb_ary_repeated_combination(VALUE ary, V https://github.com/ruby/ruby/blob/trunk/ruby_2_2/array.c#L5184 rb_yield(rb_ary_new2(0)); } else if (n == 1) { - for (i = 0; i < len; i++) { + for (i = 0; i < RARRAY_LEN(ary); i++) { rb_yield(rb_ary_new3(1, RARRAY_AREF(ary, i))); } } Index: ruby_2_2/version.h =================================================================== --- ruby_2_2/version.h (revision 57219) +++ ruby_2_2/version.h (revision 57220) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/version.h#L1 #define RUBY_VERSION "2.2.7" #define RUBY_RELEASE_DATE "2016-12-27" -#define RUBY_PATCHLEVEL 410 +#define RUBY_PATCHLEVEL 411 #define RUBY_RELEASE_YEAR 2016 #define RUBY_RELEASE_MONTH 12 Index: ruby_2_2/test/ruby/test_array.rb =================================================================== --- ruby_2_2/test/ruby/test_array.rb (revision 57219) +++ ruby_2_2/test/ruby/test_array.rb (revision 57220) @@ -2329,11 +2329,18 @@ class TestArray < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/ruby_2_2/test/ruby/test_array.rb#L2329 def test_combination_clear bug9939 = '[ruby-core:63149] [Bug #9939]' - assert_separately([], <<-'end;') - 100_000.times {Array.new(1000)} + assert_nothing_raised(bug9939) { a = [*0..100] a.combination(3) {|*,x| a.clear} - end; + } + + bug13052 = '[ruby-core:78738] [Bug #13052] Array#combination segfaults if the Array is modified during iteration' + assert_nothing_raised(bug13052) { + a = [*0..100] + a.combination(1) { a.clear } + a = [*0..100] + a.repeated_combination(1) { a.clear } + } end def test_product2 Index: ruby_2_2/ChangeLog =================================================================== --- ruby_2_2/ChangeLog (revision 57219) +++ ruby_2_2/ChangeLog (revision 57220) @@ -1,3 +1,15 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_2/ChangeLog#L1 +Tue Dec 27 20:02:43 2016 Kazuki Yamaguchi <k@r...> + + * array.c (rb_ary_{repeated_,}combination): check array length every + time after yielding. + + Since the Array may be modified during rb_yield(), the length before + invoking the block can't be trusted. Fix possible out-of-bounds read + in Array#combination and Array#repeated_combination. + + It may better to make a defensive copy of the Array, but for now let's + follow what Array#permutation does. [Bug #13052] + Tue Dec 27 19:57:51 2016 Nobuyoshi Nakada <nobu@r...> * sprintf.c (rb_str_format): fix memory corruption by width underflow. Property changes on: ruby_2_2 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r57119 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/