Avoid illegal pointer

mame · mame · commit 50a34637a4bd · 2024-11-29T03:01:46.000+09:00
When loading a crafted marshal data of Random, a pointer to an illegal
address was created. I don't think there is any harm since the data is
normalized before access, but just to be safe, I add a check to make it
an error.
diff --git a/random.c b/random.c
@@ -895,7 +895,7 @@ rand_mt_load(VALUE obj, VALUE dump)
         sizeof(*mt->state), 0,
         INTEGER_PACK_LSWORD_FIRST|INTEGER_PACK_NATIVE_BYTE_ORDER);
     x = NUM2ULONG(left);
-    if (x > numberof(mt->state)) {
+    if (x > numberof(mt->state) || x == 0) {
         rb_raise(rb_eArgError, "wrong value");
     }
     mt->left = (unsigned int)x;
diff --git a/test/ruby/test_rand.rb b/test/ruby/test_rand.rb
@@ -434,4 +434,9 @@ def test_new_seed
     # probability of failure <= 1/256**8
     assert_operator(size.fdiv(n), :>, 15)
   end
+
+  def test_broken_marshal
+    assert_raise(ArgumentError) { Marshal.load("\x04\bU:\vRandom" + Marshal.dump([1,0,1])[2..]) }
+    assert_raise(ArgumentError) { Marshal.load("\x04\bU:\vRandom" + Marshal.dump([1,-1,1])[2..]) }
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -895,7 +895,7 @@ rand_mt_load(VALUE obj, VALUE dump)`
`895`	`895`	`sizeof(*mt->state), 0,`
`896`	`896`	`INTEGER_PACK_LSWORD_FIRST\|INTEGER_PACK_NATIVE_BYTE_ORDER);`
`897`	`897`	`x = NUM2ULONG(left);`
`898`		`- if (x > numberof(mt->state)) {`
	`898`	`+ if (x > numberof(mt->state) \|\| x == 0) {`
`899`	`899`	`rb_raise(rb_eArgError, "wrong value");`
`900`	`900`	`}`
`901`	`901`	`mt->left = (unsigned int)x;`