[前][次][番号順一覧][スレッド一覧]

ruby-changes:50786

From: nobu <ko1@a...>
Date: Wed, 28 Mar 2018 19:12:22 +0900 (JST)
Subject: [ruby-changes:50786] nobu:r62992 (trunk): pack.c: fix underflow

nobu	2018-03-28 19:12:17 +0900 (Wed, 28 Mar 2018)

  New Revision: 62992

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=62992

  Log:
    pack.c: fix underflow
    
    * pack.c (pack_unpack_internal): get rid of underflow.
      https://hackerone.com/reports/298246

  Modified files:
    trunk/pack.c
    trunk/test/ruby/test_pack.rb
Index: pack.c
===================================================================
--- pack.c	(revision 62991)
+++ pack.c	(revision 62992)
@@ -1128,7 +1128,7 @@ pack_unpack_internal(VALUE str, VALUE fm https://github.com/ruby/ruby/blob/trunk/pack.c#L1128
 	else if (ISDIGIT(*p)) {
 	    errno = 0;
 	    len = STRTOUL(p, (char**)&p, 10);
-	    if (errno) {
+	    if (len < 0 || errno) {
 		rb_raise(rb_eRangeError, "pack length too big");
 	    }
 	}
Index: test/ruby/test_pack.rb
===================================================================
--- test/ruby/test_pack.rb	(revision 62991)
+++ test/ruby/test_pack.rb	(revision 62992)
@@ -550,6 +550,9 @@ class TestPack < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_pack.rb#L550
     assert_equal([1, 2], "\x01\x00\x00\x02".unpack("C@3C"))
     assert_equal([nil], "\x00".unpack("@1C")) # is it OK?
     assert_raise(ArgumentError) { "\x00".unpack("@2C") }
+
+    pos = RbConfig::LIMITS["UINTPTR_MAX"] - 99 # -100
+    assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")}
   end
 
   def test_pack_unpack_percent

--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]