merge revision(s) r46778: [Backport ruby#10019]

nagachika · nagachika · commit 5acdbee3eb10 · 2014-07-13T13:59:09.000Z
* pack.c (encodes): fix buffer overrun by tail_lf. Thanks to Mamoru Tasaka and Tomas Hoger. [ruby-core:63604] [Bug ruby#10019] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_1@46806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+Sun Jul 13 22:52:43 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* pack.c (encodes): fix buffer overrun by tail_lf.  Thanks to
+	  Mamoru Tasaka and Tomas Hoger.  [ruby-core:63604] [Bug #10019]
+
 Sun Jul 13 22:44:05 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* ext/thread/thread.c (undumpable): ConditionVariable and Queue
diff --git a/pack.c b/pack.c
@@ -946,7 +946,8 @@ static const char b64_table[] =
 static void
 encodes(VALUE str, const char *s, long len, int type, int tail_lf)
 {
-    char buff[4096];
+    enum {buff_size = 4096, encoded_unit = 4};
+    char buff[buff_size + 1];	/* +1 for tail_lf */
     long i = 0;
     const char *trans = type == 'u' ? uu_table : b64_table;
     char padding;
@@ -959,15 +960,15 @@ encodes(VALUE str, const char *s, long len, int type, int tail_lf)
 	padding = '=';
     }
     while (len >= 3) {
-        while (len >= 3 && sizeof(buff)-i >= 4) {
+        while (len >= 3 && buff_size-i >= encoded_unit) {
             buff[i++] = trans[077 & (*s >> 2)];
             buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))];
             buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))];
             buff[i++] = trans[077 & s[2]];
             s += 3;
             len -= 3;
         }
-        if (sizeof(buff)-i < 4) {
+        if (buff_size-i < encoded_unit) {
             rb_str_buf_cat(str, buff, i);
             i = 0;
         }
@@ -987,6 +988,7 @@ encodes(VALUE str, const char *s, long len, int type, int tail_lf)
     }
     if (tail_lf) buff[i++] = '\n';
     rb_str_buf_cat(str, buff, i);
+    if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun");
 }
 
 static const char hex_table[] = "0123456789ABCDEF";
diff --git a/test/ruby/test_pack.rb b/test/ruby/test_pack.rb
@@ -550,6 +550,14 @@ def test_pack_unpack_m
     assert_equal(["\0"], "AA\n".unpack("m"))
     assert_equal(["\0"], "AA=\n".unpack("m"))
     assert_equal(["\0\0"], "AAA\n".unpack("m"))
+
+    bug10019 = '[ruby-core:63604] [Bug #10019]'
+    size = ((4096-4)/4*3+1)
+    assert_separately(%W[- #{size} #{bug10019}], <<-'end;')
+      size = ARGV.shift.to_i
+      bug = ARGV.shift
+      assert_equal(size, ["a"*size].pack("m#{size+2}").unpack("m")[0].size, bug)
+    end;
   end
 
   def test_pack_unpack_m0
diff --git a/version.h b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.1.2"
 #define RUBY_RELEASE_DATE "2014-07-13"
-#define RUBY_PATCHLEVEL 170
+#define RUBY_PATCHLEVEL 171
 
 #define RUBY_RELEASE_YEAR 2014
 #define RUBY_RELEASE_MONTH 7

-Original file line number
+Diff line change
@@ @@ -1,3 +1,8 @@ @@
 +Sun Jul 13 22:52:43 2014  Nobuyoshi Nakada  <[email protected]>
++
 +	* pack.c (encodes): fix buffer overrun by tail_lf.  Thanks to
 +	  Mamoru Tasaka and Tomas Hoger.  [ruby-core:63604] [Bug #10019]
++
 Sun Jul 13 22:44:05 2014  Nobuyoshi Nakada  <[email protected]>
 	* ext/thread/thread.c (undumpable): ConditionVariable and Queue
Original file line number	Diff line number	Diff line change
`@@ -946,7 +946,8 @@ static const char b64_table[] =`
`946`	`946`	`static void`
`947`	`947`	`encodes(VALUE str, const char *s, long len, int type, int tail_lf)`
`948`	`948`	`{`
`949`		`- char buff[4096];`
	`949`	`+ enum {buff_size = 4096, encoded_unit = 4};`
	`950`	`+ char buff[buff_size + 1]; /* +1 for tail_lf */`
`950`	`951`	`long i = 0;`
`951`	`952`	`const char *trans = type == 'u' ? uu_table : b64_table;`
`952`	`953`	`char padding;`
`@@ -959,15 +960,15 @@ encodes(VALUE str, const char *s, long len, int type, int tail_lf)`
`959`	`960`	`padding = '=';`
`960`	`961`	`}`
`961`	`962`	`while (len >= 3) {`
`962`		`- while (len >= 3 && sizeof(buff)-i >= 4) {`
	`963`	`+ while (len >= 3 && buff_size-i >= encoded_unit) {`
`963`	`964`	`buff[i++] = trans[077 & (*s >> 2)];`
`964`	`965`	`buff[i++] = trans[077 & (((*s << 4) & 060) \| ((s[1] >> 4) & 017))];`
`965`	`966`	`buff[i++] = trans[077 & (((s[1] << 2) & 074) \| ((s[2] >> 6) & 03))];`
`966`	`967`	`buff[i++] = trans[077 & s[2]];`
`967`	`968`	`s += 3;`
`968`	`969`	`len -= 3;`
`969`	`970`	`}`
`970`		`- if (sizeof(buff)-i < 4) {`
	`971`	`+ if (buff_size-i < encoded_unit) {`
`971`	`972`	`rb_str_buf_cat(str, buff, i);`
`972`	`973`	`i = 0;`
`973`	`974`	`}`
`@@ -987,6 +988,7 @@ encodes(VALUE str, const char *s, long len, int type, int tail_lf)`
`987`	`988`	`}`
`988`	`989`	`if (tail_lf) buff[i++] = '\n';`
`989`	`990`	`rb_str_buf_cat(str, buff, i);`
	`991`	`+ if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun");`
`990`	`992`	`}`
`991`	`993`
`992`	`994`	`static const char hex_table[] = "0123456789ABCDEF";`