|
|
121925 |
From 4dd2526cda0056e08a9eb38bac2fb4e837874ea2 Mon Sep 17 00:00:00 2001
|
|
|
121925 |
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
|
|
|
121925 |
Date: Wed, 28 Mar 2018 10:37:07 +0000
|
|
|
121925 |
Subject: [PATCH] pack.c: fix underflow
|
|
|
121925 |
|
|
|
121925 |
* pack.c (pack_unpack_internal): get rid of underflow.
|
|
|
121925 |
https://hackerone.com/reports/298246
|
|
|
121925 |
|
|
|
121925 |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@62997 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
121925 |
---
|
|
|
121925 |
pack.c | 2 +-
|
|
|
121925 |
test/ruby/test_pack.rb | 3 +++
|
|
|
121925 |
2 files changed, 4 insertions(+), 1 deletion(-)
|
|
|
121925 |
|
|
|
121925 |
diff --git a/pack.c b/pack.c
|
|
|
121925 |
index 487fdf82fa..d304dd2eea 100644
|
|
|
121925 |
--- a/pack.c
|
|
|
121925 |
+++ b/pack.c
|
|
|
121925 |
@@ -1430,7 +1430,7 @@ pack_unpack(VALUE str, VALUE fmt)
|
|
|
121925 |
else if (ISDIGIT(*p)) {
|
|
|
121925 |
errno = 0;
|
|
|
121925 |
len = STRTOUL(p, (char**)&p, 10);
|
|
|
121925 |
- if (errno) {
|
|
|
121925 |
+ if (len < 0 || errno) {
|
|
|
121925 |
rb_raise(rb_eRangeError, "pack length too big");
|
|
|
121925 |
}
|
|
|
121925 |
}
|
|
|
121925 |
diff --git a/test/ruby/test_pack.rb b/test/ruby/test_pack.rb
|
|
|
121925 |
index f51d0b44e4..8ca34051a9 100644
|
|
|
121925 |
--- a/test/ruby/test_pack.rb
|
|
|
121925 |
+++ b/test/ruby/test_pack.rb
|
|
|
121925 |
@@ -471,6 +471,9 @@ class TestPack < Test::Unit::TestCase
|
|
|
121925 |
assert_equal([1, 2], "\x01\x00\x00\x02".unpack("C@3C"))
|
|
|
121925 |
assert_equal([nil], "\x00".unpack("@1C")) # is it OK?
|
|
|
121925 |
assert_raise(ArgumentError) { "\x00".unpack("@2C") }
|
|
|
121925 |
+
|
|
|
121925 |
+ pos = (1 << [nil].pack("p").bytesize * 8) - 100 # -100
|
|
|
121925 |
+ assert_raise(RangeError) {"0123456789".unpack("@#{pos}C10")}
|
|
|
121925 |
end
|
|
|
121925 |
|
|
|
121925 |
def test_pack_unpack_percent
|
|
|
121925 |
--
|
|
|
121925 |
2.17.1
|
|
|
121925 |
|