random.c: check initialize and load

* random.c (random_init, random_load): cannot initialize frozen object again, nor with tainted/untrusted object. [Bug #6540] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36175 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2012-06-22 04:36:54 +00:00 · 2012-06-22 04:36:54 +00:00 · 0b0dea752c
commit 0b0dea752c
parent 77898c33e3
3 changed files with 29 additions and 0 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+Fri Jun 22 13:36:50 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* random.c (random_init, random_load): cannot initialize frozen object
+	  again, nor with tainted/untrusted object.  [Bug #6540]
+
 Fri Jun 22 13:32:33 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>

 	* error.c (rb_check_copyable): new function, to ensure the target is
--- a/random.c
+++ b/random.c
@ -462,10 +462,12 @@ random_init(int argc, VALUE *argv, VALUE obj)
    rb_random_t *rnd = get_rnd(obj);

    if (argc == 0) {
+	rb_check_frozen(obj);
 	vseed = random_seed();
    }
    else {
 	rb_scan_args(argc, argv, "01", &vseed);
+	rb_check_copyable(obj, vseed);
    }
    rnd->seed = rand_init(&rnd->mt, vseed);
    return obj;
@ -686,6 +688,7 @@ random_load(VALUE obj, VALUE dump)
    VALUE *ary;
    unsigned long x;

+    rb_check_copyable(obj, dump);
    Check_Type(dump, T_ARRAY);
    ary = RARRAY_PTR(dump);
    switch (RARRAY_LEN(dump)) {
--- a/test/ruby/test_rand.rb
+++ b/test/ruby/test_rand.rb
@ -484,4 +484,25 @@ END
      Random.new.marshal_load(0)
    }
  end
+
+  def test_marshal_load_frozen
+    r = Random.new(0)
+    d = r.marshal_dump
+    r.freeze
+    assert_raise(RuntimeError, '[Bug #6540]') do
+      r.marshal_load(d)
+    end
+  end
+
+  def test_marshal_load_insecure
+    r = Random.new(0)
+    d = r.marshal_dump
+    l = proc do
+      $SAFE = 4
+      r.marshal_load(d)
+    end
+    assert_raise(SecurityError, '[Bug #6540]') do
+      l.call
+    end
+  end
 end