* ext/dl/cfunc.c (rb_dlcfunc_call): add taint check.

* ext/dl/dl.c (rb_dl_malloc): add rb_secure(2). * ext/dl/dl.c (rb_dl_realloc): ditto. * ext/dl/dl.c (rb_dl_free): ditto. * ext/dl/dl.c (rb_dl_ptr2value): ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@18496 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2008-08-11 11:33:44 +00:00 · 2008-08-11 11:33:44 +00:00 · 199a95775b
commit 199a95775b
parent 35b6abbca2
4 changed files with 30 additions and 8 deletions
--- a/12
+++ b/12
@ -1,3 +1,15 @@
+Mon Aug 11 20:27:12 2008  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* ext/dl/cfunc.c (rb_dlcfunc_call): add taint check.
+
+	* ext/dl/dl.c (rb_dl_malloc): add rb_secure(2).
+
+	* ext/dl/dl.c (rb_dl_realloc): ditto.
+
+	* ext/dl/dl.c (rb_dl_free): ditto.
+
+	* ext/dl/dl.c (rb_dl_ptr2value): ditto.
+
 Mon Aug 11 20:11:21 2008  Nobuyoshi Nakada  <nobu@ruby-lang.org>

 	* gc.c (getrusage_time): works only if RUSAGE_SELF is defined right
--- a/ext/dl/cfunc.c
+++ b/ext/dl/cfunc.c
@ -260,6 +260,7 @@ rb_dlcfunc_call(VALUE self, VALUE ary)
 	if( i >= DLSTACK_SIZE ){
 	    rb_raise(rb_eDLError, "too many arguments (stack overflow)");
 	}
+	rb_check_safe_obj(RARRAY_PTR(ary)[i]);
 	stack[i] = NUM2LONG(RARRAY_PTR(ary)[i]);
    }
    
--- a/ext/dl/cptr.c
+++ b/ext/dl/cptr.c
@ -416,29 +416,33 @@ rb_dlptr_size(int argc, VALUE argv[], VALUE self)
 VALUE
 rb_dlptr_s_to_ptr(VALUE self, VALUE val)
 {
-    if( rb_obj_is_kind_of(val, rb_cIO) == Qtrue ){
+    VALUE ptr;
+
+    if (rb_obj_is_kind_of(val, rb_cIO) == Qtrue){
 	rb_io_t *fptr;
 	FILE *fp;
 	GetOpenFile(val, fptr);
 	fp = rb_io_stdio_file(fptr);
-	return rb_dlptr_new(fp, 0, NULL);
+	ptr = rb_dlptr_new(fp, 0, NULL);
    }
-    else if( rb_obj_is_kind_of(val, rb_cString) == Qtrue ){
+    else if (rb_obj_is_kind_of(val, rb_cString) == Qtrue){
        char *ptr = StringValuePtr(val);
-        return rb_dlptr_new(ptr, RSTRING_LEN(val), NULL); 
+        ptr = rb_dlptr_new(ptr, RSTRING_LEN(val), NULL); 
    }
-    else if( rb_respond_to(val, id_to_ptr) ){
+    else if (rb_respond_to(val, id_to_ptr)){
 	VALUE vptr = rb_funcall(val, id_to_ptr, 0);
-	if( rb_obj_is_kind_of(vptr, rb_cDLCPtr) ){
-	    return vptr;
+	if (rb_obj_is_kind_of(vptr, rb_cDLCPtr)){
+	    ptr = vptr;
 	}
 	else{
 	    rb_raise(rb_eDLError, "to_ptr should return a CPtr object");
 	}
    }
    else{
-	return rb_dlptr_new(NUM2PTR(rb_Integer(val)), 0, NULL);
+	ptr = rb_dlptr_new(NUM2PTR(rb_Integer(val)), 0, NULL);
    }
+    OBJ_INFECT(ptr, val);
+    return ptr;
 }

 void
--- a/ext/dl/dl.c
+++ b/ext/dl/dl.c
@ -22,6 +22,7 @@ rb_dl_malloc(VALUE self, VALUE size)
 {
    void *ptr;

+    rb_secure(4);
    ptr = (void*)ruby_xmalloc(NUM2INT(size));
    return PTR2NUM(ptr);
 }
@ -31,6 +32,7 @@ rb_dl_realloc(VALUE self, VALUE addr, VALUE size)
 {
    void *ptr = NUM2PTR(addr);

+    rb_secure(4);
    ptr = (void*)ruby_xrealloc(ptr, NUM2INT(size));
    return PTR2NUM(ptr);
 }
@ -39,6 +41,8 @@ VALUE
 rb_dl_free(VALUE self, VALUE addr)
 {
    void *ptr = NUM2PTR(addr);
+
+    rb_secure(4);
    ruby_xfree(ptr);
    return Qnil;
 }
@ -46,6 +50,7 @@ rb_dl_free(VALUE self, VALUE addr)
 VALUE
 rb_dl_ptr2value(VALUE self, VALUE addr)
 {
+    rb_secure(4);
    return (VALUE)NUM2PTR(addr);
 }