* ext/dl/cfunc.c (rb_dlcfunc_call): add taint check.

* ext/dl/dl.c (rb_dl_malloc): add rb_secure(2).

* ext/dl/dl.c (rb_dl_realloc): ditto.

* ext/dl/dl.c (rb_dl_free): ditto.

* ext/dl/dl.c (rb_dl_ptr2value): ditto.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@18496 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,15 @@
+Mon Aug 11 20:27:12 2008  Yukihiro Matsumoto  <matz@ruby-lang.org>
+
+	* ext/dl/cfunc.c (rb_dlcfunc_call): add taint check.
+
+	* ext/dl/dl.c (rb_dl_malloc): add rb_secure(2).
+
+	* ext/dl/dl.c (rb_dl_realloc): ditto.
+
+	* ext/dl/dl.c (rb_dl_free): ditto.
+
+	* ext/dl/dl.c (rb_dl_ptr2value): ditto.
+
 Mon Aug 11 20:11:21 2008  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* gc.c (getrusage_time): works only if RUSAGE_SELF is defined right

ext/dl/cfunc.c

@@ -260,6 +260,7 @@ rb_dlcfunc_call(VALUE self, VALUE ary)
 	if( i >= DLSTACK_SIZE ){
 	    rb_raise(rb_eDLError, "too many arguments (stack overflow)");
 	}
+	rb_check_safe_obj(RARRAY_PTR(ary)[i]);
 	stack[i] = NUM2LONG(RARRAY_PTR(ary)[i]);
     }
     

ext/dl/cptr.c

@@ -416,29 +416,33 @@ rb_dlptr_size(int argc, VALUE argv[], VALUE self)
 VALUE
 rb_dlptr_s_to_ptr(VALUE self, VALUE val)
 {
+    VALUE ptr;
+
     if (rb_obj_is_kind_of(val, rb_cIO) == Qtrue){
 	rb_io_t *fptr;
 	FILE *fp;
 	GetOpenFile(val, fptr);
 	fp = rb_io_stdio_file(fptr);
-	return rb_dlptr_new(fp, 0, NULL);
+	ptr = rb_dlptr_new(fp, 0, NULL);
     }
     else if (rb_obj_is_kind_of(val, rb_cString) == Qtrue){
         char *ptr = StringValuePtr(val);
-        return rb_dlptr_new(ptr, RSTRING_LEN(val), NULL); 
+        ptr = rb_dlptr_new(ptr, RSTRING_LEN(val), NULL); 
     }
     else if (rb_respond_to(val, id_to_ptr)){
 	VALUE vptr = rb_funcall(val, id_to_ptr, 0);
 	if (rb_obj_is_kind_of(vptr, rb_cDLCPtr)){
-	    return vptr;
+	    ptr = vptr;
 	}
 	else{
 	    rb_raise(rb_eDLError, "to_ptr should return a CPtr object");
 	}
     }
     else{
-	return rb_dlptr_new(NUM2PTR(rb_Integer(val)), 0, NULL);
+	ptr = rb_dlptr_new(NUM2PTR(rb_Integer(val)), 0, NULL);
     }
+    OBJ_INFECT(ptr, val);
+    return ptr;
 }
 
 void

ext/dl/dl.c

@@ -22,6 +22,7 @@ rb_dl_malloc(VALUE self, VALUE size)
 {
     void *ptr;
 
+    rb_secure(4);
     ptr = (void*)ruby_xmalloc(NUM2INT(size));
     return PTR2NUM(ptr);
 }
@@ -31,6 +32,7 @@ rb_dl_realloc(VALUE self, VALUE addr, VALUE size)
 {
     void *ptr = NUM2PTR(addr);
 
+    rb_secure(4);
     ptr = (void*)ruby_xrealloc(ptr, NUM2INT(size));
     return PTR2NUM(ptr);
 }
@@ -39,6 +41,8 @@ VALUE
 rb_dl_free(VALUE self, VALUE addr)
 {
     void *ptr = NUM2PTR(addr);
+
+    rb_secure(4);
     ruby_xfree(ptr);
     return Qnil;
 }
@@ -46,6 +50,7 @@ rb_dl_free(VALUE self, VALUE addr)
 VALUE
 rb_dl_ptr2value(VALUE self, VALUE addr)
 {
+    rb_secure(4);
     return (VALUE)NUM2PTR(addr);
 }