You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
84 lines
2.8 KiB
84 lines
2.8 KiB
Index: ChangeLog |
|
=================================================================== |
|
--- ChangeLog (revision 46805) |
|
+++ ChangeLog (revision 46806) |
|
@@ -837,6 +837,11 @@ |
|
* array.c (rb_ary_permutation): `p` is the array of size `r`, as |
|
commented at permute0(). since `n >= r` here, buffer overflow |
|
never happened, just reduce unnecessary allocation though. |
|
+ |
|
+Sun Jul 13 22:52:43 2014 Nobuyoshi Nakada <nobu@ruby-lang.org> |
|
+ |
|
+ * pack.c (encodes): fix buffer overrun by tail_lf. Thanks to |
|
+ Mamoru Tasaka and Tomas Hoger. [ruby-core:63604] [Bug #10019] |
|
|
|
Mon Jul 7 13:05:04 2014 SHIBATA Hiroshi <shibata.hiroshi@gmail.com> |
|
|
|
Index: pack.c |
|
=================================================================== |
|
--- pack.c (revision 46805) |
|
+++ pack.c (revision 46806) |
|
@@ -1088,7 +1088,8 @@ |
|
static void |
|
encodes(VALUE str, const char *s, long len, int type, int tail_lf) |
|
{ |
|
- char buff[4096]; |
|
+ enum {buff_size = 4096, encoded_unit = 4}; |
|
+ char buff[buff_size + 1]; /* +1 for tail_lf */ |
|
long i = 0; |
|
const char *trans = type == 'u' ? uu_table : b64_table; |
|
char padding; |
|
@@ -1101,7 +1102,7 @@ |
|
padding = '='; |
|
} |
|
while (len >= 3) { |
|
- while (len >= 3 && sizeof(buff)-i >= 4) { |
|
+ while (len >= 3 && buff_size-i >= encoded_unit) { |
|
buff[i++] = trans[077 & (*s >> 2)]; |
|
buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))]; |
|
buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))]; |
|
@@ -1109,7 +1110,7 @@ |
|
s += 3; |
|
len -= 3; |
|
} |
|
- if (sizeof(buff)-i < 4) { |
|
+ if (buff_size-i < encoded_unit) { |
|
rb_str_buf_cat(str, buff, i); |
|
i = 0; |
|
} |
|
@@ -1129,6 +1130,7 @@ |
|
} |
|
if (tail_lf) buff[i++] = '\n'; |
|
rb_str_buf_cat(str, buff, i); |
|
+ if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun"); |
|
} |
|
|
|
static const char hex_table[] = "0123456789ABCDEF"; |
|
Index: test/ruby/test_pack.rb |
|
=================================================================== |
|
--- test/ruby/test_pack.rb (revision 46805) |
|
+++ test/ruby/test_pack.rb (revision 46806) |
|
@@ -537,6 +537,14 @@ |
|
assert_equal(["\377"], "/w==\n".unpack("m")) |
|
assert_equal(["\377\377"], "//8=\n".unpack("m")) |
|
assert_equal(["\377\377\377"], "////\n".unpack("m")) |
|
+ |
|
+ bug10019 = '[ruby-core:63604] [Bug #10019]' |
|
+ size = ((4096-4)/4*3+1) |
|
+ assert_separately(%W[- #{size} #{bug10019}], <<-'end;') |
|
+ size = ARGV.shift.to_i |
|
+ bug = ARGV.shift |
|
+ assert_equal(size, ["a"*size].pack("m#{size+2}").unpack("m")[0].size, bug) |
|
+ end; |
|
end |
|
|
|
def test_pack_unpack_m0 |
|
Index: . |
|
=================================================================== |
|
--- . (revision 46805) |
|
+++ . (revision 46806) |
|
|
|
Property changes on: . |
|
___________________________________________________________________ |
|
Modified: svn:mergeinfo |
|
Merged /trunk:r46778
|
|
|