packages/ruby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ruby/backport-CVE-2024-27280.patch
shixuantong 9a876937dd fix CVE-2024-27280 and CVE-2024-27281 
(cherry picked from commit 652039bcc49ab28135864064961d308f9f8a7e63)
2024-03-29 10:01:47 +08:00

87 lines
2.6 KiB
Diff
Raw Blame History

From a35268a3ac1b5f0058e5b7c1a041a7e86d9da067 Mon Sep 17 00:00:00 2001
From: Nobuyoshi Nakada <nobu@ruby-lang.org>
Date: Tue, 16 Nov 2021 17:39:32 +0900
Subject: [PATCH] Fix expanding size at ungetc/ungetbyte
Reference:https://github.com/ruby/stringio/commit/a35268a3ac1b5f0058e5b7c1a041a7e86d9da067
Conflict:NA
---
ext/stringio/stringio.c | 2 +-
test/stringio/test_stringio.rb | 25 +++++++++++++++++++++----
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/ext/stringio/stringio.c b/ext/stringio/stringio.c
index 8df07e8..d1e0473 100644
--- a/ext/stringio/stringio.c
+++ b/ext/stringio/stringio.c
@@ -984,7 +984,7 @@ strio_unget_bytes(struct StringIO *ptr, const char *cp, long cl)
len = RSTRING_LEN(str);
rest = pos - len;
if (cl > pos) {
- long ex = (rest < 0 ? cl-pos : cl+rest);
+ long ex = cl - (rest < 0 ? pos : len);
rb_str_modify_expand(str, ex);
rb_str_set_len(str, len + ex);
s = RSTRING_PTR(str);
diff --git a/test/stringio/test_stringio.rb b/test/stringio/test_stringio.rb
index e0b4504..144a9f4 100644
--- a/test/stringio/test_stringio.rb
+++ b/test/stringio/test_stringio.rb
@@ -757,6 +757,15 @@ class TestStringIO < Test::Unit::TestCase
assert_equal("b""\0""a", s.string)
end
+ def test_ungetc_fill
+ count = 100
+ s = StringIO.new
+ s.print 'a' * count
+ s.ungetc('b' * (count * 5))
+ assert_equal((count * 5), s.string.size)
+ assert_match(/\Ab+\z/, s.string)
+ end
+
def test_ungetbyte_pos
b = '\\b00010001 \\B00010001 \\b1 \\B1 \\b000100011'
s = StringIO.new( b )
@@ -782,6 +791,15 @@ class TestStringIO < Test::Unit::TestCase
assert_equal("b""\0""a", s.string)
end
+ def test_ungetbyte_fill
+ count = 100
+ s = StringIO.new
+ s.print 'a' * count
+ s.ungetbyte('b' * (count * 5))
+ assert_equal((count * 5), s.string.size)
+ assert_match(/\Ab+\z/, s.string)
+ end
+
def test_frozen
s = StringIO.new
s.freeze
@@ -825,18 +843,17 @@ class TestStringIO < Test::Unit::TestCase
end
def test_overflow
- omit if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
+ return if RbConfig::SIZEOF["void*"] > RbConfig::SIZEOF["long"]
limit = RbConfig::LIMITS["INTPTR_MAX"] - 0x10
assert_separately(%w[-rstringio], "#{<<-"begin;"}\n#{<<-"end;"}")
begin;
limit = #{limit}
ary = []
- while true
+ begin
x = "a"*0x100000
break if [x].pack("p").unpack("i!")[0] < 0
ary << x
- omit if ary.size > 100
- end
+ end while ary.size <= 100
s = StringIO.new(x)
s.gets("xxx", limit)
assert_equal(0x100000, s.pos)
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink