|
 |
b6bbea |
Index: ChangeLog
|
|
|
b6bbea |
===================================================================
|
|
|
b6bbea |
--- ChangeLog (revision 46805)
|
|
|
b6bbea |
+++ ChangeLog (revision 46806)
|
|
|
4acc54 |
@@ -493,6 +493,11 @@
|
|
|
4acc54 |
* array.c (rb_ary_permutation): `p` is the array of size `r`, as
|
|
|
4acc54 |
commented at permute0(). since `n >= r` here, buffer overflow
|
|
|
4acc54 |
never happened, just reduce unnecessary allocation though.
|
|
|
4acc54 |
+
|
|
|
b6bbea |
+Sun Jul 13 22:52:43 2014 Nobuyoshi Nakada <nobu@ruby-lang.org>
|
|
|
b6bbea |
+
|
|
|
b6bbea |
+ * pack.c (encodes): fix buffer overrun by tail_lf. Thanks to
|
|
|
b6bbea |
+ Mamoru Tasaka and Tomas Hoger. [ruby-core:63604] [Bug #10019]
|
|
|
b6bbea |
|
|
|
4acc54 |
Mon Jul 7 13:05:04 2014 SHIBATA Hiroshi <shibata.hiroshi@gmail.com>
|
|
|
4acc54 |
|
|
|
b6bbea |
Index: pack.c
|
|
|
b6bbea |
===================================================================
|
|
|
b6bbea |
--- pack.c (revision 46805)
|
|
|
b6bbea |
+++ pack.c (revision 46806)
|
|
|
b6bbea |
@@ -1063,7 +1063,8 @@
|
|
|
b6bbea |
static void
|
|
|
b6bbea |
encodes(VALUE str, const char *s, long len, int type, int tail_lf)
|
|
|
b6bbea |
{
|
|
|
b6bbea |
- char buff[4096];
|
|
|
b6bbea |
+ enum {buff_size = 4096, encoded_unit = 4};
|
|
|
b6bbea |
+ char buff[buff_size + 1]; /* +1 for tail_lf */
|
|
|
b6bbea |
long i = 0;
|
|
|
b6bbea |
const char *trans = type == 'u' ? uu_table : b64_table;
|
|
|
b6bbea |
char padding;
|
|
|
b6bbea |
@@ -1076,7 +1077,7 @@
|
|
|
b6bbea |
padding = '=';
|
|
|
b6bbea |
}
|
|
|
b6bbea |
while (len >= 3) {
|
|
|
b6bbea |
- while (len >= 3 && sizeof(buff)-i >= 4) {
|
|
|
b6bbea |
+ while (len >= 3 && buff_size-i >= encoded_unit) {
|
|
|
b6bbea |
buff[i++] = trans[077 & (*s >> 2)];
|
|
|
b6bbea |
buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))];
|
|
|
b6bbea |
buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))];
|
|
|
b6bbea |
@@ -1084,7 +1085,7 @@
|
|
|
b6bbea |
s += 3;
|
|
|
b6bbea |
len -= 3;
|
|
|
b6bbea |
}
|
|
|
b6bbea |
- if (sizeof(buff)-i < 4) {
|
|
|
b6bbea |
+ if (buff_size-i < encoded_unit) {
|
|
|
b6bbea |
rb_str_buf_cat(str, buff, i);
|
|
|
b6bbea |
i = 0;
|
|
|
b6bbea |
}
|
|
|
b6bbea |
@@ -1104,6 +1105,7 @@
|
|
|
b6bbea |
}
|
|
|
b6bbea |
if (tail_lf) buff[i++] = '\n';
|
|
|
b6bbea |
rb_str_buf_cat(str, buff, i);
|
|
|
b6bbea |
+ if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun");
|
|
|
b6bbea |
}
|
|
|
b6bbea |
|
|
|
b6bbea |
static const char hex_table[] = "0123456789ABCDEF";
|
|
|
b6bbea |
Index: test/ruby/test_pack.rb
|
|
|
b6bbea |
===================================================================
|
|
|
b6bbea |
--- test/ruby/test_pack.rb (revision 46805)
|
|
|
b6bbea |
+++ test/ruby/test_pack.rb (revision 46806)
|
|
|
4acc54 |
@@ -537,6 +537,14 @@
|
|
|
b6bbea |
assert_equal(["\377"], "/w==\n".unpack("m"))
|
|
|
b6bbea |
assert_equal(["\377\377"], "//8=\n".unpack("m"))
|
|
|
b6bbea |
assert_equal(["\377\377\377"], "////\n".unpack("m"))
|
|
|
b6bbea |
+
|
|
|
b6bbea |
+ bug10019 = '[ruby-core:63604] [Bug #10019]'
|
|
|
b6bbea |
+ size = ((4096-4)/4*3+1)
|
|
|
b6bbea |
+ assert_separately(%W[- #{size} #{bug10019}], <<-'end;')
|
|
|
b6bbea |
+ size = ARGV.shift.to_i
|
|
|
b6bbea |
+ bug = ARGV.shift
|
|
|
b6bbea |
+ assert_equal(size, ["a"*size].pack("m#{size+2}").unpack("m")[0].size, bug)
|
|
|
b6bbea |
+ end;
|
|
|
b6bbea |
end
|
|
|
b6bbea |
|
|
|
b6bbea |
def test_pack_unpack_m0
|
|
|
b6bbea |
Index: .
|
|
|
b6bbea |
===================================================================
|
|
|
b6bbea |
--- . (revision 46805)
|
|
|
b6bbea |
+++ . (revision 46806)
|
|
|
b6bbea |
|
|
|
b6bbea |
Property changes on: .
|
|
|
b6bbea |
___________________________________________________________________
|
|
|
b6bbea |
Modified: svn:mergeinfo
|
|
|
b6bbea |
Merged /trunk:r46778
|