Mercurial Mercurial > upstream > oracle > userland-gate / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/ruby/patches/10-CVE-2013-4164.patch
author April Chin <april.chin@oracle.com>
Fri, 20 Dec 2013 13:51:55 -0800
branchs11u1-sru
changeset 2864 7d980597e334
permissions -rw-r--r--
17884834 problem in UTILITY/RUBY 17905257 problem in UTILITY/RUBY
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2864
7d980597e334 17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff changeset 
     1
 
This ruby 1.8.7 patch was derived from the ruby 1.9.3 fix for:
7d980597e334 17884834 problem in UTILITY/RUBY
April Chin <april.chin@oracle.com>
parents:
diff changeset 
     2
 












7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     3


https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     4














7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     5


as seen here:













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     6


http://bugs.ruby-lang.org/projects/ruby-trunk/repository/diff/util.c?rev=43780&rev_to=41757













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     7














7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     8


CVE-2013-4164













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




     9














7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    10


Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    11


before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    12


43780 allows context-dependent attackers to cause a denial of service













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    13


(segmentation fault) and possibly execute arbitrary code via a string













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    14


that is converted to a floating point value, as demonstrated using (1)













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    15


the to_f method or (2) JSON.parse.













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    16














7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    17


--- ruby-1.8.7-p374-orig/util.c	2010-11-21 23:21:34.000000000 -0800













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    18


+++ ruby-1.8.7-p374/util.c	2013-12-02 16:58:32.995038000 -0800













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    19


@@ -892,6 +892,11 @@













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    20


 #else













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    21


 #define MALLOC malloc













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    22


 #endif













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    23


+#ifdef FREE













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    24


+extern void FREE(void*);













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    25


+#else













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    26


+#define FREE free













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    27


+#endif













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    28


 













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    29


 #ifndef Omit_Private_Memory













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    30


 #ifndef PRIVATE_MEM













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    31


@@ -1176,7 +1181,7 @@













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    32


 #endif













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    33


 













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    34


     ACQUIRE_DTOA_LOCK(0);













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    35


-    if ((rv = freelist[k]) != 0) {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    36


+    if (k <= Kmax && (rv = freelist[k]) != 0) {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    37


         freelist[k] = rv->next;













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    38


     }













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    39


     else {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    40


@@ -1186,7 +1191,7 @@













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    41


 #else













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    42


         len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    43


                 /sizeof(double);













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    44


-        if (pmem_next - private_mem + len <= PRIVATE_mem) {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    45


+        if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    46


             rv = (Bigint*)pmem_next;













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    47


             pmem_next += len;













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    48


         }













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    49


@@ -1205,6 +1210,10 @@













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    50


 Bfree(Bigint *v)













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    51


 {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    52


     if (v) {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    53


+        if (v->k > Kmax) {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    54


+            FREE(v);













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    55


+            return;













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    56


+        }













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    57


         ACQUIRE_DTOA_LOCK(0);













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    58


         v->next = freelist[v->k];













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    59


         freelist[v->k] = v;













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    60


@@ -2200,6 +2209,7 @@













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    61


         for (; c >= '0' && c <= '9'; c = *++s) {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    62


 have_dig:













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    63


             nz++;













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    64


+            if (nf > DBL_DIG * 4) continue;













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    65


             if (c -= '0') {













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    66


                 nf += nz;













7d980597e334
17884834 problem in UTILITY/RUBY



April Chin <april.chin@oracle.com>


parents: 

diff
changeset




    67


                 for (i = 1; i < nz; i++)















upstream/oracle/userland-gate