|
1 Patch from upstream to fix CVE-2016-2337. |
|
2 |
|
3 See: |
|
4 |
|
5 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2337 |
|
6 |
|
7 and: |
|
8 |
|
9 https://bugzilla.suse.com/show_bug.cgi?id=1018812 |
|
10 |
|
11 for more details. |
|
12 |
|
13 Based on the patches at: |
|
14 |
|
15 https://github.com/ruby/tk/commit/ebd0fc80d62eeb7b8556522256f8d035e013eb65 |
|
16 https://github.com/ruby/tk/commit/d098136e3f62a4879a7d7cd34bbd50f482ba3331 |
|
17 |
|
18 --- ruby-2.1.6/ext/tk/tcltklib.c.orig 2017-01-24 07:24:44.277290163 +0000 |
|
19 +++ ruby-2.1.6/ext/tk/tcltklib.c 2017-01-24 11:10:02.370460844 +0000 |
|
20 @@ -3291,7 +3291,7 @@ |
|
21 DUMP1("set backtrace"); |
|
22 if (!NIL_P(backtrace = rb_funcall(exc, ID_backtrace, 0, 0))) { |
|
23 backtrace = rb_ary_join(backtrace, rb_str_new2("\n")); |
|
24 - Tcl_AddErrorInfo(interp, StringValuePtr(backtrace)); |
|
25 + Tcl_AddErrorInfo(interp, StringValueCStr(backtrace)); |
|
26 } |
|
27 |
|
28 rb_thread_critical = thr_crit_bup; |
|
29 @@ -6217,19 +6217,19 @@ |
|
30 /* without Tk */ |
|
31 with_tk = 0; |
|
32 } else { |
|
33 - /* Tcl_SetVar(ptr->ip, "argv", StringValuePtr(opts), 0); */ |
|
34 - Tcl_SetVar(ptr->ip, "argv", StringValuePtr(opts), TCL_GLOBAL_ONLY); |
|
35 + /* Tcl_SetVar(ptr->ip, "argv", StringValueCStr(opts), 0); */ |
|
36 + Tcl_SetVar(ptr->ip, "argv", StringValueCStr(opts), TCL_GLOBAL_ONLY); |
|
37 Tcl_Eval(ptr->ip, "set argc [llength $argv]"); |
|
38 } |
|
39 case 1: |
|
40 /* argv0 */ |
|
41 if (!NIL_P(argv0)) { |
|
42 - if (strncmp(StringValuePtr(argv0), "-e", 3) == 0 |
|
43 - || strncmp(StringValuePtr(argv0), "-", 2) == 0) { |
|
44 + if (strncmp(StringValueCStr(argv0), "-e", 3) == 0 |
|
45 + || strncmp(StringValueCStr(argv0), "-", 2) == 0) { |
|
46 Tcl_SetVar(ptr->ip, "argv0", "ruby", TCL_GLOBAL_ONLY); |
|
47 } else { |
|
48 - /* Tcl_SetVar(ptr->ip, "argv0", StringValuePtr(argv0), 0); */ |
|
49 - Tcl_SetVar(ptr->ip, "argv0", StringValuePtr(argv0), |
|
50 + /* Tcl_SetVar(ptr->ip, "argv0", StringValueCStr(argv0), 0); */ |
|
51 + Tcl_SetVar(ptr->ip, "argv0", StringValueCStr(argv0), |
|
52 TCL_GLOBAL_ONLY); |
|
53 } |
|
54 } |
|
55 @@ -6426,7 +6426,7 @@ |
|
56 slave->allow_ruby_exit = 0; |
|
57 slave->return_value = 0; |
|
58 |
|
59 - slave->ip = Tcl_CreateSlave(master->ip, StringValuePtr(name), safe); |
|
60 + slave->ip = Tcl_CreateSlave(master->ip, StringValueCStr(name), safe); |
|
61 if (slave->ip == NULL) { |
|
62 rb_thread_critical = thr_crit_bup; |
|
63 return rb_exc_new2(rb_eRuntimeError, |
|
64 @@ -6902,7 +6902,7 @@ |
|
65 get_obj_from_str(str) |
|
66 VALUE str; |
|
67 { |
|
68 - const char *s = StringValuePtr(str); |
|
69 + const char *s = StringValueCStr(str); |
|
70 |
|
71 #if TCL_MAJOR_VERSION == 8 && TCL_MINOR_VERSION == 0 |
|
72 return Tcl_NewStringObj((char*)s, RSTRING_LEN(str)); |
|
73 @@ -7750,7 +7750,8 @@ |
|
74 if (NIL_P(msg)) { |
|
75 msg_obj = NULL; |
|
76 } else { |
|
77 - msg_obj = Tcl_NewStringObj(RSTRING_PTR(msg), RSTRING_LEN(msg)); |
|
78 + char *s = StringValueCStr(msg); |
|
79 + msg_obj = Tcl_NewStringObj(s, RSTRING_LENINT(msg)); |
|
80 Tcl_IncrRefCount(msg_obj); |
|
81 } |
|
82 |
|
83 @@ -8414,7 +8415,7 @@ |
|
84 |
|
85 enc_name = rb_funcall(enc_name, ID_to_s, 0, 0); |
|
86 if (Tcl_SetSystemEncoding((Tcl_Interp *)NULL, |
|
87 - StringValuePtr(enc_name)) != TCL_OK) { |
|
88 + StringValueCStr(enc_name)) != TCL_OK) { |
|
89 rb_raise(rb_eArgError, "unknown encoding name '%s'", |
|
90 RSTRING_PTR(enc_name)); |
|
91 } |
|
92 @@ -8835,7 +8836,7 @@ |
|
93 Tcl_Preserve((ClientData)av); /* XXXXXXXX */ |
|
94 #endif |
|
95 for (i = 0; i < argc; ++i) { |
|
96 - av[i] = strdup(StringValuePtr(argv[i])); |
|
97 + av[i] = strdup(StringValueCStr(argv[i])); |
|
98 } |
|
99 av[argc] = NULL; |
|
100 #endif |
|
101 @@ -9839,7 +9840,7 @@ |
|
102 len = 1; |
|
103 for(num = 0; num < argc; num++) { |
|
104 if (OBJ_TAINTED(argv[num])) taint_flag = 1; |
|
105 - dst = StringValuePtr(argv[num]); |
|
106 + dst = StringValueCStr(argv[num]); |
|
107 #if TCL_MAJOR_VERSION >= 8 |
|
108 len += Tcl_ScanCountedElement(dst, RSTRING_LENINT(argv[num]), |
|
109 &flagPtr[num]) + 1; |