diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2016-09-10 21:37:19 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-09-13 21:31:34 +0900 |
| commit | 47d62b46d426a8e2402e1a89b2e2d9dd04886aa7 (patch) | |
| tree | 38d2732ae0a9e295ef7ec6b2398659bc3f9d43ca /common.mk | |
| parent | be857a19108adb37869ad196d65b90810807dec6 (diff) | |
| download | ruby-topic/string-integer-overflow.tar.gz | |
string.c: avoid signed integer overflowtopic/string-integer-overflow
The behavior on signed integer overflow is undefined. On platform with
sizeof(long)==4, it's fairly easy that 'len + termlen' overflows, where
len is the string length and termlen is the terminator length.
So, prevent the integer overflow by avoiding adding to a string length,
or casting to size_t before adding where the total size is passed to
{RE,}ALLOC*().
* string.c (STR_HEAP_SIZE, RESIZE_CAPA_TERM, str_new0, rb_str_buf_new,
str_shared_replace, rb_str_init, str_make_independent_expand,
rb_str_resize): Avoid overflow by casting the length to size_t. size_t
should be able to represent LONG_MAX+termlen.
* string.c (rb_str_modify_expand): Check that the new length is in the
range of long before resizing. Also refactor to use RESIZE_CAPA_TERM
macro.
* string.c (str_buf_cat): Fix so that it does not create a negative
length String. Also fix the condition for 'string sizes too big', the
total length can be up to LONG_MAX.
* string.c (rb_str_plus): Check the resulting String length does not
exceed LONG_MAX.
* string.c (rb_str_dump): Fix integer overflow. The dump result will be
longer then the original String.
Diffstat (limited to 'common.mk')
0 files changed, 0 insertions, 0 deletions