1 |
pack.c: fix buffer overrun |
2 |
|
3 |
* pack.c (encodes): fix buffer overrun by tail_lf. Thanks to |
4 |
Mamoru Tasaka and Tomas Hoger. [ruby-core:63604] [Bug #10019] |
5 |
|
6 |
--- ruby-2.0.0-p594/pack.c.orig 2012-10-19 09:13:32.000000000 -0400 |
7 |
+++ ruby-2.0.0-p594/pack.c 2014-11-05 12:46:02.959341560 -0500 |
8 |
@@ -1063,7 +1063,8 @@ static const char b64_table[] = |
9 |
static void |
10 |
encodes(VALUE str, const char *s, long len, int type, int tail_lf) |
11 |
{ |
12 |
- char buff[4096]; |
13 |
+ enum {buff_size = 4096, encoded_unit = 4}; |
14 |
+ char buff[buff_size + 1]; /* +1 for tail_lf */ |
15 |
long i = 0; |
16 |
const char *trans = type == 'u' ? uu_table : b64_table; |
17 |
char padding; |
18 |
@@ -1076,7 +1077,7 @@ encodes(VALUE str, const char *s, long l |
19 |
padding = '='; |
20 |
} |
21 |
while (len >= 3) { |
22 |
- while (len >= 3 && sizeof(buff)-i >= 4) { |
23 |
+ while (len >= 3 && buff_size-i >= encoded_unit) { |
24 |
buff[i++] = trans[077 & (*s >> 2)]; |
25 |
buff[i++] = trans[077 & (((*s << 4) & 060) | ((s[1] >> 4) & 017))]; |
26 |
buff[i++] = trans[077 & (((s[1] << 2) & 074) | ((s[2] >> 6) & 03))]; |
27 |
@@ -1084,7 +1085,7 @@ encodes(VALUE str, const char *s, long l |
28 |
s += 3; |
29 |
len -= 3; |
30 |
} |
31 |
- if (sizeof(buff)-i < 4) { |
32 |
+ if (buff_size-i < encoded_unit) { |
33 |
rb_str_buf_cat(str, buff, i); |
34 |
i = 0; |
35 |
} |
36 |
@@ -1104,6 +1105,7 @@ encodes(VALUE str, const char *s, long l |
37 |
} |
38 |
if (tail_lf) buff[i++] = '\n'; |
39 |
rb_str_buf_cat(str, buff, i); |
40 |
+ if ((size_t)i > sizeof(buff)) rb_bug("encodes() buffer overrun"); |
41 |
} |
42 |
|
43 |
static const char hex_table[] = "0123456789ABCDEF"; |