ruby-changes:70136
From: Nobuyoshi <ko1@a...>
Date: Fri, 10 Dec 2021 01:05:14 +0900 (JST)
Subject: [ruby-changes:70136] bcc2bb28b0 (master): Fix stack buffer overflow
https://git.ruby-lang.org/ruby.git/commit/?id=bcc2bb28b0 From bcc2bb28b04054106f4a36e8fd69b2af6ecb033a Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada <nobu@r...> Date: Tue, 17 Aug 2021 22:01:57 +0900 Subject: Fix stack buffer overflow https://hackerone.com/reports/1306859 --- include/ruby/internal/memory.h | 6 +++--- random.c | 7 ++----- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/include/ruby/internal/memory.h b/include/ruby/internal/memory.h index aa3464465da..242892d50f0 100644 --- a/include/ruby/internal/memory.h +++ b/include/ruby/internal/memory.h @@ -284,7 +284,7 @@ typedef uint128_t DSIZE_T; https://github.com/ruby/ruby/blob/trunk/include/ruby/internal/memory.h#L284 * @return A pointer on stack. */ #define ALLOCA_N(type,n) \ - RBIMPL_CAST((type *)alloca(rbimpl_size_mul_or_raise(sizeof(type), (n)))) + RBIMPL_CAST((type *)(!(n) ? NULL : alloca(rbimpl_size_mul_or_raise(sizeof(type), (n))))) /** * Identical to #RB_ALLOCV_N(), except it implicitly assumes the type of array @@ -297,7 +297,7 @@ typedef uint128_t DSIZE_T; https://github.com/ruby/ruby/blob/trunk/include/ruby/internal/memory.h#L297 */ #define RB_ALLOCV(v, n) \ ((n) < RUBY_ALLOCV_LIMIT ? \ - ((v) = 0, alloca(n)) : \ + ((v) = 0, !(n) ? NULL : alloca(n)) : \ rb_alloc_tmp_buffer(&(v), (n))) /** @@ -330,7 +330,7 @@ typedef uint128_t DSIZE_T; https://github.com/ruby/ruby/blob/trunk/include/ruby/internal/memory.h#L330 #define RB_ALLOCV_N(type, v, n) \ RBIMPL_CAST((type *) \ (((size_t)(n) < RUBY_ALLOCV_LIMIT / sizeof(type)) ? \ - ((v) = 0, alloca((n) * sizeof(type))) : \ + ((v) = 0, !(n) ? NULL : alloca((n) * sizeof(type))) : \ rb_alloc_tmp_buffer2(&(v), (n), sizeof(type)))) /** diff --git a/random.c b/random.c index b873d0593ed..580c1f26eb2 100644 --- a/random.c +++ b/random.c @@ -365,15 +365,12 @@ rand_init(const rb_random_interface_t *rng, rb_random_t *rnd, VALUE seed) https://github.com/ruby/ruby/blob/trunk/random.c#L365 int sign; len = rb_absint_numwords(seed, 32, NULL); + if (len == 0) len = 1; buf = ALLOCV_N(uint32_t, buf0, len); sign = rb_integer_pack(seed, buf, len, sizeof(uint32_t), 0, INTEGER_PACK_LSWORD_FIRST|INTEGER_PACK_NATIVE_BYTE_ORDER); if (sign < 0) sign = -sign; - if (len == 0) { - buf[0] = 0; - len = 1; - } if (len > 1) { if (sign != 2 && buf[len-1] == 1) /* remove leading-zero-guard */ len--; @@ -883,7 +880,7 @@ rand_mt_init(rb_random_t *rnd, const uint32_t *buf, size_t len) https://github.com/ruby/ruby/blob/trunk/random.c#L880 { struct MT *mt = &((rb_random_mt_t *)rnd)->mt; if (len <= 1) { - init_genrand(mt, buf[0]); + init_genrand(mt, len ? buf[0] : 0); } else { init_by_array(mt, buf, (int)len); -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/