1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
|
Description: Fix Heap Overflow in Floating Point Parsing
This vulnerability is tracked with CVE-2013-4164.
.
https://www.ruby-lang.org/en/news/2013/11/22/ruby-1-9-3-p484-is-released/
Origin: upstream, https://bugs.ruby-lang.org/projects/ruby-193/repository/revisions/43776/diff
Bug-Debian: http://bugs.debian.org/730178
Forwarded: not-needed
Applied-Upstream: 1.9.3-p484, 2.0.0-p353
Last-Update: 2013-11-29
--- a/util.c
+++ b/util.c
@@ -852,6 +852,11 @@ extern void *MALLOC(size_t);
#else
#define MALLOC malloc
#endif
+#ifdef FREE
+extern void FREE(void*);
+#else
+#define FREE free
+#endif
#ifndef Omit_Private_Memory
#ifndef PRIVATE_MEM
@@ -1142,7 +1147,7 @@ Balloc(int k)
#endif
ACQUIRE_DTOA_LOCK(0);
- if ((rv = freelist[k]) != 0) {
+ if (k <= Kmax && (rv = freelist[k]) != 0) {
freelist[k] = rv->next;
}
else {
@@ -1152,7 +1157,7 @@ Balloc(int k)
#else
len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
/sizeof(double);
- if (pmem_next - private_mem + len <= PRIVATE_mem) {
+ if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
rv = (Bigint*)pmem_next;
pmem_next += len;
}
@@ -1171,6 +1176,10 @@ static void
Bfree(Bigint *v)
{
if (v) {
+ if (v->k > Kmax) {
+ FREE(v);
+ return;
+ }
ACQUIRE_DTOA_LOCK(0);
v->next = freelist[v->k];
freelist[v->k] = v;
@@ -2231,6 +2240,7 @@ break2:
for (; c >= '0' && c <= '9'; c = *++s) {
have_dig:
nz++;
+ if (nf > DBL_DIG * 4) continue;
if (c -= '0') {
nf += nz;
for (i = 1; i < nz; i++)
--- a/test/ruby/test_float.rb
+++ b/test/ruby/test_float.rb
@@ -519,4 +519,16 @@ class TestFloat < Test::Unit::TestCase
sleep(0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1+0.1)
end
end
+
+ def test_long_string
+ assert_normal_exit(<<-'end;')
+ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9)
+ end;
+ end
+
+ def test_long_string
+ assert_normal_exit(<<-'end;')
+ assert_in_epsilon(10.0, ("1."+"1"*300000).to_f*9)
+ end;
+ end
end
|