diff options
author | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-06-14 13:07:27 +0000 |
---|---|---|
committer | nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2016-06-14 13:07:27 +0000 |
commit | 57f3481fc2b3c03484373ef96463ad7f3ea6cabb (patch) | |
tree | dffcde8d3bebe3d52afb48147cfc787d20a05360 /ext | |
parent | 98ec4125569e9b33cbb0d891c9098eabebbfb995 (diff) | |
download | ruby-57f3481fc2b3c03484373ef96463ad7f3ea6cabb.tar.gz |
date_strftime.c: check precision
* ext/date/date_strftime.c (date_strftime_with_tmx): reject too
large precision to get rid of buffer overflow.
reported by Guido Vranken <guido AT guidovranken.nl>.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55410 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext')
-rw-r--r-- | ext/date/date_strftime.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/ext/date/date_strftime.c b/ext/date/date_strftime.c index 20931a3124..9d8167b612 100644 --- a/ext/date/date_strftime.c +++ b/ext/date/date_strftime.c @@ -48,7 +48,7 @@ downcase(char *s, size_t i) /* strftime --- produce formatted time */ static size_t -date_strftime_with_tmx(char *s, size_t maxsize, const char *format, +date_strftime_with_tmx(char *s, const size_t maxsize, const char *format, const struct tmx *tmx) { char *endp = s + maxsize; @@ -575,7 +575,12 @@ date_strftime_with_tmx(char *s, size_t maxsize, const char *format, case '5': case '6': case '7': case '8': case '9': { char *e; - precision = (int)strtoul(format, &e, 10); + unsigned long prec = strtoul(format, &e, 10); + if (prec > INT_MAX || prec > maxsize) { + errno = ERANGE; + return 0; + } + precision = (int)prec; format = e - 1; goto again; } |