mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
pack.c: fix buffer overrun
* pack.c (encodes): fix buffer overrun by tail_lf. Thanks to Mamoru Tasaka and Tomas Hoger. [ruby-core:63604] [Bug #10019] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46778 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
70451a56ed
commit
8a608d2b1f
3 changed files with 18 additions and 3 deletions
|
@ -1,3 +1,8 @@
|
|||
Fri Jul 11 10:09:03 2014 Nobuyoshi Nakada <nobu@ruby-lang.org>
|
||||
|
||||
* pack.c (encodes): fix buffer overrun by tail_lf. Thanks to
|
||||
Mamoru Tasaka and Tomas Hoger. [ruby-core:63604] [Bug #10019]
|
||||
|
||||
Thu Jul 10 23:51:36 2014 Naohisa Goto <ngotogenome@gmail.com>
|
||||
|
||||
* hash.c (ruby_setenv): Fix TestEnv#test_aset failure on Solaris 9.
|
||||
|
|
8
pack.c
8
pack.c
|
@ -945,7 +945,8 @@ static const char b64_table[] =
|
|||
static void
|
||||
encodes(VALUE str, const char *s, long len, int type, int tail_lf)
|
||||
{
|
||||
char buff[4096];
|
||||
enum {buff_size = 4096, encoded_unit = 4};
|
||||
char buff[buff_size + 1]; /* +1 for tail_lf */
|
||||
long i = 0;
|
||||
const char *trans = type == 'u' ? uu_table : b64_table;
|
||||
char padding;
|
||||
|
@ -958,7 +959,7 @@ encodes(VALUE str, const char *s, long len, int type, int tail_lf)
|
|||
padding = '=';
|
||||
}
|
||||
while (len >= 3) {
|
||||
while (len >= 3 && sizeof(buff)-i >= 4) {
|
||||
while (len >= 3 && buff_size-i >= encoded_unit) {
|
||||
buff[i++] = trans[077 & (*s >> 2)];
|
||||
buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))];
|
||||
buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))];
|
||||
|
@ -966,7 +967,7 @@ encodes(VALUE str, const char *s, long len, int type, int tail_lf)
|
|||
s += 3;
|
||||
len -= 3;
|
||||
}
|
||||
if (sizeof(buff)-i < 4) {
|
||||
if (buff_size-i < encoded_unit) {
|
||||
rb_str_buf_cat(str, buff, i);
|
||||
i = 0;
|
||||
}
|
||||
|
@ -986,6 +987,7 @@ encodes(VALUE str, const char *s, long len, int type, int tail_lf)
|
|||
}
|
||||
if (tail_lf) buff[i++] = '\n';
|
||||
rb_str_buf_cat(str, buff, i);
|
||||
if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun");
|
||||
}
|
||||
|
||||
static const char hex_table[] = "0123456789ABCDEF";
|
||||
|
|
|
@ -550,6 +550,14 @@ EXPECTED
|
|||
assert_equal(["\0"], "AA\n".unpack("m"))
|
||||
assert_equal(["\0"], "AA=\n".unpack("m"))
|
||||
assert_equal(["\0\0"], "AAA\n".unpack("m"))
|
||||
|
||||
bug10019 = '[ruby-core:63604] [Bug #10019]'
|
||||
size = ((4096-4)/4*3+1)
|
||||
assert_separately(%W[- #{size} #{bug10019}], <<-'end;')
|
||||
size = ARGV.shift.to_i
|
||||
bug = ARGV.shift
|
||||
assert_equal(size, ["a"*size].pack("m#{size+2}").unpack("m")[0].size, bug)
|
||||
end;
|
||||
end
|
||||
|
||||
def test_pack_unpack_m0
|
||||
|
|
Loading…
Add table
Reference in a new issue