diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-09-15 01:09:10 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-12-16 16:49:16 +0000 |
commit | 5b18872c7a4df0b9a01af5c86ee6969018985e69 (patch) | |
tree | d7846299bd1759582a6a844f15c1a26c5999e8c6 | |
parent | 05e4733b0075191587c38810f5e85d46f6ebaebb (diff) | |
download | ruby-5b18872c7a4df0b9a01af5c86ee6969018985e69.tar.gz |
pack.c: avoid signed integer overflowwip-topic/signed-integer-overflow
Avoid 'x > y * n' pattern because 'y * n' may cause a signed integer
overflow.
-rw-r--r-- | pack.c | 22 |
1 files changed, 17 insertions, 5 deletions
@@ -1191,8 +1191,11 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode) int bits; long i; - if (p[-1] == '*' || len > (send - s) * 8) + if (p[-1] == '*' || len / 8 >= send - s) { + if (send - s > LONG_MAX / 8) + rb_raise(rb_eRuntimeError, "string size too big"); len = (send - s) * 8; + } bits = 0; UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len)); t = RSTRING_PTR(bitstr); @@ -1211,8 +1214,11 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode) int bits; long i; - if (p[-1] == '*' || len > (send - s) * 8) + if (p[-1] == '*' || len / 8 >= send - s) { + if (send - s > LONG_MAX / 8) + rb_raise(rb_eRuntimeError, "string size too big"); len = (send - s) * 8; + } bits = 0; UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len)); t = RSTRING_PTR(bitstr); @@ -1231,8 +1237,11 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode) int bits; long i; - if (p[-1] == '*' || len > (send - s) * 2) + if (p[-1] == '*' || len / 2 >= send - s) { + if (send - s > LONG_MAX / 2) + rb_raise(rb_eRuntimeError, "string size too big"); len = (send - s) * 2; + } bits = 0; UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len)); t = RSTRING_PTR(bitstr); @@ -1253,8 +1262,11 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode) int bits; long i; - if (p[-1] == '*' || len > (send - s) * 2) + if (p[-1] == '*' || len / 2 >= send - s) { + if (send - s > LONG_MAX / 2) + rb_raise(rb_eRuntimeError, "string size too big"); len = (send - s) * 2; + } bits = 0; UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len)); t = RSTRING_PTR(bitstr); @@ -1522,7 +1534,7 @@ pack_unpack_internal(VALUE str, VALUE fmt, int mode) case 'm': { - VALUE buf = infected_str_new(0, (send - s + 3)*3/4, str); /* +3 is for skipping paddings */ + VALUE buf = infected_str_new(0, (send - s + 3) / 4 * 3, str); /* +3 is for skipping paddings */ char *ptr = RSTRING_PTR(buf); int a = -1,b = -1,c = 0,d = 0; static signed char b64_xtable[256]; |