/[packages]/cauldron/ruby/current/SOURCES/ruby-2.0.0-CVE-2014-4975.patch
ViewVC logotype

Contents of /cauldron/ruby/current/SOURCES/ruby-2.0.0-CVE-2014-4975.patch

Parent Directory Parent Directory | Revision Log Revision Log

Revision 795834 - (show annotations) (download)
Wed Nov 5 17:52:51 2014 UTC (9 years, 5 months ago) by luigiwalser
File size: 1617 byte(s) 
add upstream patch to fix CVE-2014-4975
1 pack.c: fix buffer overrun
2
3 * pack.c (encodes): fix buffer overrun by tail_lf. Thanks to
4 Mamoru Tasaka and Tomas Hoger. [ruby-core:63604] [Bug #10019]
5
6 --- ruby-2.0.0-p594/pack.c.orig 2012-10-19 09:13:32.000000000 -0400
7 +++ ruby-2.0.0-p594/pack.c 2014-11-05 12:46:02.959341560 -0500
8 @@ -1063,7 +1063,8 @@ static const char b64_table[] =
9 static void
10 encodes(VALUE str, const char *s, long len, int type, int tail_lf)
11 {
12 - char buff[4096];
13 + enum {buff_size = 4096, encoded_unit = 4};
14 + char buff[buff_size + 1]; /* +1 for tail_lf */
15 long i = 0;
16 const char *trans = type == 'u' ? uu_table : b64_table;
17 char padding;
18 @@ -1076,7 +1077,7 @@ encodes(VALUE str, const char *s, long l
19 padding = '=';
20 }
21 while (len >= 3) {
22 - while (len >= 3 && sizeof(buff)-i >= 4) {
23 + while (len >= 3 && buff_size-i >= encoded_unit) {
24 buff[i++] = trans[077 & (*s >> 2)];
25 buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))];
26 buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))];
27 @@ -1084,7 +1085,7 @@ encodes(VALUE str, const char *s, long l
28 s += 3;
29 len -= 3;
30 }
31 - if (sizeof(buff)-i < 4) {
32 + if (buff_size-i < encoded_unit) {
33 rb_str_buf_cat(str, buff, i);
34 i = 0;
35 }
36 @@ -1104,6 +1105,7 @@ encodes(VALUE str, const char *s, long l
37 }
38 if (tail_lf) buff[i++] = '\n';
39 rb_str_buf_cat(str, buff, i);
40 + if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun");
41 }
42
43 static const char hex_table[] = "0123456789ABCDEF";
  ViewVC Help
Powered by ViewVC 1.1.30