ruby-changes:69910
From: Nobuyoshi <ko1@a...>
Date: Wed, 24 Nov 2021 19:59:11 +0900 (JST)
Subject: [ruby-changes:69910] da34f31ad0 (master): [ruby/cgi] Fix integer overflow
https://git.ruby-lang.org/ruby.git/commit/?id=da34f31ad0 From da34f31ad0315b9b8dfb318aafab393aee54968f Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada <nobu@r...> Date: Fri, 3 Sep 2021 19:40:22 +0900 Subject: [ruby/cgi] Fix integer overflow Make use of the check in rb_alloc_tmp_buffer2. https://hackerone.com/reports/1328463 https://github.com/ruby/cgi/commit/c728632c1c --- ext/cgi/escape/escape.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/cgi/escape/escape.c b/ext/cgi/escape/escape.c index 3a7837e4df9..809f95ef4cc 100644 --- a/ext/cgi/escape/escape.c +++ b/ext/cgi/escape/escape.c @@ -36,7 +36,8 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/ext/cgi/escape/escape.c#L36 optimized_escape_html(VALUE str) { VALUE vbuf; - char *buf = ALLOCV_N(char, vbuf, RSTRING_LEN(str) * HTML_ESCAPE_MAX_LEN); + typedef char escape_buf[HTML_ESCAPE_MAX_LEN]; + char *buf = *ALLOCV_N(escape_buf, vbuf, RSTRING_LEN(str)); const char *cstr = RSTRING_PTR(str); const char *end = cstr + RSTRING_LEN(str); -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/