diff options
author | ngoto <ngoto@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-07-15 13:08:54 +0000 |
---|---|---|
committer | ngoto <ngoto@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-07-15 13:08:54 +0000 |
commit | 20c4461d86487447e0c8208514ff90835104b89c (patch) | |
tree | 86b77241026e97e5d7e3bc74f444725f3dcbf69d | |
parent | 2bb292fccf9560b2c885b4368e5c5fc3fe2a2bda (diff) | |
download | ruby-20c4461d86487447e0c8208514ff90835104b89c.tar.gz |
* string.c (str_buf_cat): Fix potential interger overflow of capa.
In addition, termlen is used instead of +1.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55692 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | string.c | 5 |
2 files changed, 8 insertions, 2 deletions
@@ -1,3 +1,8 @@ +Fri Jul 15 22:05:13 2016 Naohisa Goto <ngotogenome@gmail.com> + + * string.c (str_buf_cat): Fix potential interger overflow of capa. + In addition, termlen is used instead of +1. + Fri Jul 15 21:30:38 2016 Naohisa Goto <ngotogenome@gmail.com> * string.c (str_buf_cat): Fix capa size for embed string. @@ -2562,6 +2562,7 @@ str_buf_cat(VALUE str, const char *ptr, long len) long capa, total, olen, off = -1; char *sptr; const int termlen = TERM_LEN(str); + assert(termlen < RSTRING_EMBED_LEN_MAX + 1); /* < (LONG_MAX/2) */ RSTRING_GETMEM(str, sptr, olen); if (ptr >= sptr && ptr <= sptr + olen) { @@ -2586,11 +2587,11 @@ str_buf_cat(VALUE str, const char *ptr, long len) if (capa <= total) { if (LIKELY(capa > 0)) { while (total > capa) { - if (capa > LONG_MAX / 2) { + if (capa > LONG_MAX / 2 - termlen) { capa = (total + 4095) / 4096 * 4096; break; } - capa = 2 * capa + 1; + capa = 2 * capa + termlen; /* == 2*(capa+termlen)-termlen */ } } else { |