Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 156407 Details for
Bug 225465
dev-lang/ruby <1.8.6_p287 Multiple vulnerabilities (CVE-2008-{1447,2662,2663,2664,2725,2726,2376,3655,3656,3657,3905})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
ruby-1.8.6-CVE-2008-2662+3+4.patch
ruby-1.8.6-CVE-2008-2662+3+4.patch (text/plain), 5.05 KB, created by
Robert Buchholz (RETIRED)
on 2008-06-11 20:26:16 UTC
(
hide
)
Description:
ruby-1.8.6-CVE-2008-2662+3+4.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-06-11 20:26:16 UTC
Size:
5.05 KB
patch
obsolete
>Index: ruby-1.8.6-p114/array.c >=================================================================== >--- ruby-1.8.6-p114.orig/array.c >+++ ruby-1.8.6-p114/array.c >@@ -20,6 +20,7 @@ VALUE rb_cArray; > static ID id_cmp; > > #define ARY_DEFAULT_SIZE 16 >+#define ARY_MAX_SIZE (LONG_MAX / sizeof(VALUE)) > > void > rb_mem_clear(mem, size) >@@ -120,7 +121,7 @@ ary_new(klass, len) > if (len < 0) { > rb_raise(rb_eArgError, "negative array size (or size too big)"); > } >- if (len > 0 && len * sizeof(VALUE) <= len) { >+ if (len > ARY_MAX_SIZE) { > rb_raise(rb_eArgError, "array size too big"); > } > if (len == 0) len++; >@@ -293,7 +294,7 @@ rb_ary_initialize(argc, argv, ary) > if (len < 0) { > rb_raise(rb_eArgError, "negative array size"); > } >- if (len > 0 && len * (long)sizeof(VALUE) <= len) { >+ if (len > ARY_MAX_SIZE) { > rb_raise(rb_eArgError, "array size too big"); > } > if (len > RARRAY(ary)->aux.capa) { >@@ -358,6 +359,9 @@ rb_ary_store(ary, idx, val) > idx - RARRAY(ary)->len); > } > } >+ else if (idx >= ARY_MAX_SIZE) { >+ rb_raise(rb_eIndexError, "index %ld too big", idx); >+ } > > rb_ary_modify(ary); > if (idx >= RARRAY(ary)->aux.capa) { >@@ -366,10 +370,10 @@ rb_ary_store(ary, idx, val) > if (new_capa < ARY_DEFAULT_SIZE) { > new_capa = ARY_DEFAULT_SIZE; > } >- new_capa += idx; >- if (new_capa * (long)sizeof(VALUE) <= new_capa) { >- rb_raise(rb_eArgError, "index too big"); >+ else if (new_capa >= ARY_MAX_SIZE - idx) { >+ new_capa = (ARY_MAX_SIZE - idx) / 2; > } >+ new_capa += idx; > REALLOC_N(RARRAY(ary)->ptr, VALUE, new_capa); > RARRAY(ary)->aux.capa = new_capa; > } >@@ -976,6 +980,9 @@ rb_ary_splice(ary, beg, len, rpl) > > if (beg >= RARRAY(ary)->len) { > len = beg + rlen; >+ if (len < 0 || len > ARY_MAX_SIZE) { >+ rb_raise(rb_eIndexError, "index %ld too big", beg); >+ } > if (len >= RARRAY(ary)->aux.capa) { > REALLOC_N(RARRAY(ary)->ptr, VALUE, len); > RARRAY(ary)->aux.capa = len; >@@ -2378,7 +2385,7 @@ rb_ary_times(ary, times) > if (len < 0) { > rb_raise(rb_eArgError, "negative argument"); > } >- if (LONG_MAX/len < RARRAY(ary)->len) { >+ if (ARY_MAX_SIZE/len < RARRAY(ary)->len) { > rb_raise(rb_eArgError, "argument too big"); > } > len *= RARRAY(ary)->len; >Index: ruby-1.8.6-p114/intern.h >=================================================================== >--- ruby-1.8.6-p114.orig/intern.h >+++ ruby-1.8.6-p114/intern.h >@@ -400,6 +400,7 @@ const char *ruby_signal_name _((int)); > void ruby_default_signal _((int)); > /* sprintf.c */ > VALUE rb_f_sprintf _((int, VALUE*)); >+VALUE rb_str_format _((int, VALUE*, VALUE)); > /* string.c */ > VALUE rb_str_new _((const char*, long)); > VALUE rb_str_new2 _((const char*)); >Index: ruby-1.8.6-p114/sprintf.c >=================================================================== >--- ruby-1.8.6-p114.orig/sprintf.c >+++ ruby-1.8.6-p114/sprintf.c >@@ -247,7 +247,15 @@ rb_f_sprintf(argc, argv) > int argc; > VALUE *argv; > { >+ return rb_str_format(argc - 1, argv + 1, GETNTHARG(0)); >+} >+ >+VALUE >+rb_str_format(argc, argv, fmt) >+ int argc; >+ VALUE *argv; > VALUE fmt; >+{ > const char *p, *end; > char *buf; > int blen, bsiz; >@@ -276,7 +284,8 @@ rb_f_sprintf(argc, argv) > rb_raise(rb_eArgError, "flag after precision"); \ > } > >- fmt = GETNTHARG(0); >+ ++argc; >+ --argv; > if (OBJ_TAINTED(fmt)) tainted = 1; > StringValue(fmt); > fmt = rb_str_new4(fmt); >Index: ruby-1.8.6-p114/string.c >=================================================================== >--- ruby-1.8.6-p114.orig/string.c >+++ ruby-1.8.6-p114/string.c >@@ -452,22 +452,15 @@ rb_str_times(str, times) > */ > > static VALUE >-rb_str_format(str, arg) >+rb_str_format_m(str, arg) > VALUE str, arg; > { >- VALUE *argv; >+ VALUE tmp = rb_check_array_type(arg); > >- if (TYPE(arg) == T_ARRAY) { >- argv = ALLOCA_N(VALUE, RARRAY(arg)->len + 1); >- argv[0] = str; >- MEMCPY(argv+1, RARRAY(arg)->ptr, VALUE, RARRAY(arg)->len); >- return rb_f_sprintf(RARRAY(arg)->len+1, argv); >+ if (!NIL_P(tmp)) { >+ return rb_str_format(RARRAY_LEN(tmp), RARRAY_PTR(tmp), str); > } >- >- argv = ALLOCA_N(VALUE, 2); >- argv[0] = str; >- argv[1] = arg; >- return rb_f_sprintf(2, argv); >+ return rb_str_format(1, &arg, str); > } > > static int >@@ -780,6 +773,9 @@ rb_str_buf_append(str, str2) > capa = RSTRING(str)->aux.capa; > } > len = RSTRING(str)->len+RSTRING(str2)->len; >+ if (len < 0 || (capa+1) > LONG_MAX / 2) { >+ rb_raise(rb_eArgError, "string sizes too big"); >+ } > if (capa <= len) { > while (len > capa) { > capa = (capa + 1) * 2; >@@ -4657,7 +4653,7 @@ Init_String() > rb_define_method(rb_cString, "casecmp", rb_str_casecmp, 1); > rb_define_method(rb_cString, "+", rb_str_plus, 1); > rb_define_method(rb_cString, "*", rb_str_times, 1); >- rb_define_method(rb_cString, "%", rb_str_format, 1); >+ rb_define_method(rb_cString, "%", rb_str_format_m, 1); > rb_define_method(rb_cString, "[]", rb_str_aref_m, -1); > rb_define_method(rb_cString, "[]=", rb_str_aset_m, -1); > rb_define_method(rb_cString, "insert", rb_str_insert, 2);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=156407">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 225465
:
156407
|
157467
|
157469
|
158505
|
158513
