From ab2547d786572f4c14e0d849f5f64f006425c5ba Mon Sep 17 00:00:00 2001
From: mame <mame@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Tue, 15 Jan 2019 14:19:19 +0000
Subject: st.c (rb_hash_bulk_insert_into_st_table): avoid out-of-bounds write

"hash_bulk_insert" first expands the table, but the target size was
wrong: it was calculated by "num_entries + (size to buld insert)", but
it was wrong when "num_entries < entries_bound", i.e., it has a deleted
entry.  "hash_bulk_insert" adds the given entries from entries_bound,
which led to out-of-bounds write access.  [Bug #15536]

As a simple fix, this commit changes the calculation to "entries_bound +
size".  I'm afraid if this might be inefficient, but I think it is safe
anyway.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@66832 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 st.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'st.c')

diff --git a/st.c b/st.c
index c6b3644e39..ed235c674e 100644
--- a/st.c
+++ b/st.c
@@ -2299,7 +2299,7 @@ rb_hash_bulk_insert_into_st_table(long argc, const VALUE *argv, VALUE hash)
     st_table *tab = RHASH_ST_TABLE(hash);
 
     tab = RHASH_TBL_RAW(hash);
-    n = tab->num_entries + size;
+    n = tab->entries_bound + size;
     st_expand_table(tab, n);
     if (UNLIKELY(tab->num_entries))
         st_insert_generic(tab, argc, argv, hash);
-- 
cgit v1.2.3