From 079009fb93678e902777669c663ed6f651a05c85 Mon Sep 17 00:00:00 2001 From: nobu Date: Tue, 26 Nov 2013 07:30:37 +0000 Subject: [PATCH] file.c: fix buffer overflow * file.c (rb_readlink): fix buffer overflow on a long symlink. since rb_str_modify_expand() expands from its length but not its capacity, need to set the length properly for each expansion. [ruby-core:58592] [Bug #9157] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@43853 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 7 +++++++ file.c | 1 + test/ruby/test_file_exhaustive.rb | 18 ++++++++++++++++++ 3 files changed, 26 insertions(+) diff --git a/ChangeLog b/ChangeLog index d16cc05ffd..e834f8ff92 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +Tue Nov 26 16:30:31 2013 Nobuyoshi Nakada + + * file.c (rb_readlink): fix buffer overflow on a long symlink. since + rb_str_modify_expand() expands from its length but not its capacity, + need to set the length properly for each expansion. + [ruby-core:58592] [Bug #9157] + Tue Nov 26 14:23:17 2013 Aman Gupta * ext/objspace/objspace_dump.c (dump_append_string_value): Escape diff --git a/file.c b/file.c index b14f42e1f8..77facacfcf 100644 --- a/file.c +++ b/file.c @@ -2618,6 +2618,7 @@ rb_readlink(VALUE path) ) { rb_str_modify_expand(v, size); size *= 2; + rb_str_set_len(v, size); } if (rv < 0) { rb_str_resize(v, 0); diff --git a/test/ruby/test_file_exhaustive.rb b/test/ruby/test_file_exhaustive.rb index 069e5592ca..ec4ff1c15c 100644 --- a/test/ruby/test_file_exhaustive.rb +++ b/test/ruby/test_file_exhaustive.rb @@ -391,6 +391,24 @@ class TestFileExhaustive < Test::Unit::TestCase rescue NotImplementedError end + def test_readlink_long_path + return unless @symlinkfile + bug9157 = '[ruby-core:58592] [Bug #9157]' + assert_separately(["-", @symlinkfile, bug9157], <<-"end;") + symlinkfile, bug9157 = *ARGV + 100.step(1000, 100) do |n| + File.unlink(symlinkfile) + link = "foo"*n + begin + File.symlink(link, symlinkfile) + rescue Errno::ENAMETOOLONG + break + end + assert_equal(link, File.readlink(symlinkfile), bug9157) + end + end; + end + def test_unlink assert_equal(1, File.unlink(@file)) make_file("foo", @file)