pack.c: check index range

* pack.c (pack_pack): always check index range against the receiver array length, which can be shortened by elements conversion. reported by Marcin 'Icewall' Noga of Cisco Talos. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53080 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2015-12-13 09:33:40 +00:00 · 2015-12-13 09:33:40 +00:00 · d10d5a974d
commit d10d5a974d
parent db48c30794
3 changed files with 30 additions and 5 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+Sun Dec 13 18:33:41 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* pack.c (pack_pack): always check index range against the
+	  receiver array length, which can be shortened by elements
+	  conversion.  reported by Marcin 'Icewall' Noga of Cisco Talos.
+
 Sun Dec 13 18:28:52 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>

 	* ext/psych/psych_emitter.c (start_document): should not exceed
--- a/pack.c
+++ b/pack.c
@ -361,7 +361,7 @@ pack_pack(VALUE ary, VALUE fmt)
    const char *p, *pend;
    VALUE res, from, associates = 0;
    char type;
-    long items, len, idx, plen;
+    long len, idx, plen;
    const char *ptr;
    int enc_info = 1;		/* 0 - BINARY, 1 - US-ASCII, 2 - UTF-8 */
 #ifdef NATINT_PACK
@ -374,12 +374,12 @@ pack_pack(VALUE ary, VALUE fmt)
    pend = p + RSTRING_LEN(fmt);
    res = rb_str_buf_new(0);

-    items = RARRAY_LEN(ary);
    idx = 0;

 #define TOO_FEW (rb_raise(rb_eArgError, toofew), 0)
-#define THISFROM (items > 0 ? RARRAY_AREF(ary, idx) : TOO_FEW)
-#define NEXTFROM (items-- > 0 ? RARRAY_AREF(ary, idx++) : TOO_FEW)
+#define MORE_ITEM (idx < RARRAY_LEN(ary))
+#define THISFROM (MORE_ITEM ? RARRAY_AREF(ary, idx) : TOO_FEW)
+#define NEXTFROM (MORE_ITEM ? RARRAY_AREF(ary, idx++) : TOO_FEW)

    while (p < pend) {
 	int explicit_endian = 0;
@ -431,7 +431,7 @@ pack_pack(VALUE ary, VALUE fmt)
 	if (*p == '*') {	/* set data length */
 	    len = strchr("@Xxu", type) ? 0
                : strchr("PMm", type) ? 1
-                : items;
+                : RARRAY_LEN(ary) - idx;
 	    p++;
 	}
 	else if (ISDIGIT(*p)) {
--- a/test/ruby/test_pack.rb
+++ b/test/ruby/test_pack.rb
@ -794,4 +794,23 @@ EXPECTED
      }
    }
  end
+
+  def test_pack_resize
+    assert_separately([], <<-'end;')
+      ary = []
+      obj = Class.new {
+        define_method(:to_str) {
+          ary.clear()
+          ary = nil
+          GC.start
+          "TALOS"
+        }
+      }.new
+
+      ary.push(obj)
+      ary.push(".")
+
+      assert_raise_with_message(ArgumentError, /too few/) {ary.pack("AA")}
+    end;
+  end
 end