Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/ruby/patches/10-CVE-2013-4164.patch
branchs11u1-sru
changeset 2864 7d980597e334
equal deleted inserted replaced
2863:ce50bf80797e 2864:7d980597e334 
       
     1 This ruby 1.8.7 patch was derived from the ruby 1.9.3 fix for:
 
       
     2 
       
     3 https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/
 
       
     4 
       
     5 as seen here:
 
       
     6 http://bugs.ruby-lang.org/projects/ruby-trunk/repository/diff/util.c?rev=43780&rev_to=41757
 
       
     7 
       
     8 CVE-2013-4164
 
       
     9 
       
    10 Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0
 
       
    11 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision
 
       
    12 43780 allows context-dependent attackers to cause a denial of service
 
       
    13 (segmentation fault) and possibly execute arbitrary code via a string
 
       
    14 that is converted to a floating point value, as demonstrated using (1)
 
       
    15 the to_f method or (2) JSON.parse.
 
       
    16 
       
    17 --- ruby-1.8.7-p374-orig/util.c	2010-11-21 23:21:34.000000000 -0800
 
       
    18 +++ ruby-1.8.7-p374/util.c	2013-12-02 16:58:32.995038000 -0800
 
       
    19 @@ -892,6 +892,11 @@
 
       
    20  #else
 
       
    21  #define MALLOC malloc
 
       
    22  #endif
 
       
    23 +#ifdef FREE
 
       
    24 +extern void FREE(void*);
 
       
    25 +#else
 
       
    26 +#define FREE free
 
       
    27 +#endif
 
       
    28  
       
    29  #ifndef Omit_Private_Memory
 
       
    30  #ifndef PRIVATE_MEM
 
       
    31 @@ -1176,7 +1181,7 @@
 
       
    32  #endif
 
       
    33  
       
    34      ACQUIRE_DTOA_LOCK(0);
 
       
    35 -    if ((rv = freelist[k]) != 0) {
 
       
    36 +    if (k <= Kmax && (rv = freelist[k]) != 0) {
 
       
    37          freelist[k] = rv->next;
 
       
    38      }
 
       
    39      else {
 
       
    40 @@ -1186,7 +1191,7 @@
 
       
    41  #else
 
       
    42          len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
 
       
    43                  /sizeof(double);
 
       
    44 -        if (pmem_next - private_mem + len <= PRIVATE_mem) {
 
       
    45 +        if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
 
       
    46              rv = (Bigint*)pmem_next;
 
       
    47              pmem_next += len;
 
       
    48          }
 
       
    49 @@ -1205,6 +1210,10 @@
 
       
    50  Bfree(Bigint *v)
 
       
    51  {
 
       
    52      if (v) {
 
       
    53 +        if (v->k > Kmax) {
 
       
    54 +            FREE(v);
 
       
    55 +            return;
 
       
    56 +        }
 
       
    57          ACQUIRE_DTOA_LOCK(0);
 
       
    58          v->next = freelist[v->k];
 
       
    59          freelist[v->k] = v;
 
       
    60 @@ -2200,6 +2209,7 @@
 
       
    61          for (; c >= '0' && c <= '9'; c = *++s) {
 
       
    62  have_dig:
 
       
    63              nz++;
 
       
    64 +            if (nf > DBL_DIG * 4) continue;
 
       
    65              if (c -= '0') {
 
       
    66                  nf += nz;
 
       
    67                  for (i = 1; i < nz; i++)
upstream/oracle/userland-gate