ruby-changes:50786
From: nobu <ko1@a...>
Date: Wed, 28 Mar 2018 19:12:22 +0900 (JST)
Subject: [ruby-changes:50786] nobu:r62992 (trunk): pack.c: fix underflow
nobu 2018-03-28 19:12:17 +0900 (Wed, 28 Mar 2018) New Revision: 62992 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=62992 Log: pack.c: fix underflow * pack.c (pack_unpack_internal): get rid of underflow. https://hackerone.com/reports/298246 Modified files: trunk/pack.c trunk/test/ruby/test_pack.rb Index: pack.c =================================================================== --- pack.c (revision 62991) +++ pack.c (revision 62992) @@ -1128,7 +1128,7 @@ pack_unpack_internal(VALUE str, VALUE fm https://github.com/ruby/ruby/blob/trunk/pack.c#L1128 else if (ISDIGIT(*p)) { errno = 0; len = STRTOUL(p, (char**)&p, 10); - if (errno) { + if (len < 0 || errno) { rb_raise(rb_eRangeError, "pack length too big"); } } Index: test/ruby/test_pack.rb =================================================================== --- test/ruby/test_pack.rb (revision 62991) +++ test/ruby/test_pack.rb (revision 62992) @@ -550,6 +550,9 @@ class TestPack < Test::Unit::TestCase https://github.com/ruby/ruby/blob/trunk/test/ruby/test_pack.rb#L550 assert_equal([1, 2], "\x01\x00\x00\x02".unpack("C@3C")) assert_equal([nil], "\x00".unpack("@1C")) # is it OK? assert_raise(ArgumentError) { "\x00".unpack("@2C") } + + pos = RbConfig::LIMITS["UINTPTR_MAX"] - 99 # -100 + assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")} end def test_pack_unpack_percent -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/