diff options
| author | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2011-08-23 02:36:13 +0000 |
|---|---|---|
| committer | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2011-08-23 02:36:13 +0000 |
| commit | e3e985064a6b9d338edc86cf3e807345a26b64af (patch) | |
| tree | f7d2e1640b7d7895a712fc4312cf5e60db48137d | |
| parent | 4ed4711361e771516e0088fc86c822bd4dd1ac76 (diff) | |
| download | ruby-e3e985064a6b9d338edc86cf3e807345a26b64af.tar.gz | |
* ext/zlib/zlib.c (gzfile_read_header): Ensure that each section of
gzip header is readable to avoid SEGV.
* test/zlib/test_zlib.rb (test_corrupted_header): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33023 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | ext/zlib/zlib.c | 6 | ||||
| -rw-r--r-- | test/zlib/test_zlib.rb | 14 |
3 files changed, 27 insertions, 0 deletions
@@ -1,3 +1,10 @@ +Tue Aug 23 11:27:26 2011 Hiroshi Nakamura <nahi@ruby-lang.org> + + * ext/zlib/zlib.c (gzfile_read_header): Ensure that each section of + gzip header is readable to avoid SEGV. + + * test/zlib/test_zlib.rb (test_corrupted_header): Test it. + Mon Aug 22 23:43:33 2011 CHIKANAGA Tomoyuki <nagachika00@gmail.com> * sprintf.c (rb_str_format): add RB_GC_GUARD to prevent temporary diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c index 08963a923e..a235cbb621 100644 --- a/ext/zlib/zlib.c +++ b/ext/zlib/zlib.c @@ -2306,6 +2306,9 @@ gzfile_read_header(struct gzfile *gz) zstream_discard_input(&gz->z, 2 + len); } if (flags & GZ_FLAG_ORIG_NAME) { + if (!gzfile_read_raw_ensure(gz, 1)) { + rb_raise(cGzError, "unexpected end of file"); + } p = gzfile_read_raw_until_zero(gz, 0); len = p - RSTRING_PTR(gz->z.input); gz->orig_name = rb_str_new(RSTRING_PTR(gz->z.input), len); @@ -2313,6 +2316,9 @@ gzfile_read_header(struct gzfile *gz) zstream_discard_input(&gz->z, len + 1); } if (flags & GZ_FLAG_COMMENT) { + if (!gzfile_read_raw_ensure(gz, 1)) { + rb_raise(cGzError, "unexpected end of file"); + } p = gzfile_read_raw_until_zero(gz, 0); len = p - RSTRING_PTR(gz->z.input); gz->comment = rb_str_new(RSTRING_PTR(gz->z.input), len); diff --git a/test/zlib/test_zlib.rb b/test/zlib/test_zlib.rb index d118f7e503..37781bc8e7 100644 --- a/test/zlib/test_zlib.rb +++ b/test/zlib/test_zlib.rb @@ -694,6 +694,20 @@ if defined? Zlib assert_equal("foo", Zlib::GzipReader.wrap(f) {|gz| gz.read }) assert_raise(IOError) { f.close } end + + def test_corrupted_header + gz = Zlib::GzipWriter.new(StringIO.new(s = "")) + gz.orig_name = "X" + gz.comment = "Y" + gz.print("foo") + gz.finish + # 14: magic(2) + method(1) + flag(1) + mtime(4) + exflag(1) + os(1) + orig_name(2) + comment(2) + 1.upto(14) do |idx| + assert_raise(Zlib::GzipFile::Error, idx) do + Zlib::GzipReader.new(StringIO.new(s[0, idx])).read + end + end + end end class TestZlibGzipWriter < Test::Unit::TestCase |