Package: ruby1.9.1 / 1.9.3.194-8.1+deb7u5

CVE-2013-4164.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
Description: Fix Heap Overflow in Floating Point Parsing
 This vulnerability is tracked with CVE-2013-4164.
 .
 https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
Origin: upstream, https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43776/diff
Bug-Debian: http://bugs.debian.org/730178
Forwarded: not-needed
Applied-Upstream: 1.9.3-p484, 2.0.0-p353
Last-Update: 2013-11-29

--- a/util.c
+++ b/util.c
@@ -852,6 +852,11 @@ extern void *MALLOC(size_t);
 #else
 #define MALLOC malloc
 #endif
+#ifdef FREE
+extern void FREE(void*);
+#else
+#define FREE free
+#endif
 
 #ifndef Omit_Private_Memory
 #ifndef PRIVATE_MEM
@@ -1142,7 +1147,7 @@ Balloc(int k)
 #endif
 
     ACQUIRE_DTOA_LOCK(0);
-    if ((rv = freelist[k]) != 0) {
+    if (k <= Kmax && (rv = freelist[k]) != 0) {
         freelist[k] = rv->next;
     }
     else {
@@ -1152,7 +1157,7 @@ Balloc(int k)
 #else
         len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
                 /sizeof(double);
-        if (pmem_next - private_mem + len <= PRIVATE_mem) {
+        if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
             rv = (Bigint*)pmem_next;
             pmem_next += len;
         }
@@ -1171,6 +1176,10 @@ static void
 Bfree(Bigint *v)
 {
     if (v) {
+        if (v->k > Kmax) {
+            FREE(v);
+            return;
+        }
         ACQUIRE_DTOA_LOCK(0);
         v->next = freelist[v->k];
         freelist[v->k] = v;
@@ -2231,6 +2240,7 @@ break2:
         for (; c >= '0' && c <= '9'; c = *++s) {
 have_dig:
             nz++;
+            if (nf > DBL_DIG * 4) continue;
             if (c -= '0') {
                 nf += nz;
                 for (i = 1; i < nz; i++)
--- a/test/ruby/test_float.rb
+++ b/test/ruby/test_float.rb
@@ -519,4 +519,16 @@ class TestFloat < Test::Unit::TestCase
       sleep(0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1)
     end
   end
+
+  def test_long_string
+    assert_normal_exit(<<-'end;')
+    assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9)
+    end;
+  end
+
+  def test_long_string
+    assert_normal_exit(<<-'end;')
+    assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9)
+    end;
+  end
 end