1 This ruby 1.8.7 patch was derived from the ruby 1.9.3 fix for: |
|
2 |
|
3 https://www.ruby-lang.org/en/news/2013/11/22/heap-overflow-in-floating-point-parsing-cve-2013-4164/ |
|
4 |
|
5 as seen here: |
|
6 http://bugs.ruby-lang.org/projects/ruby-trunk/repository/diff/util.c?rev=43780&rev_to=41757 |
|
7 |
|
8 CVE-2013-4164 |
|
9 |
|
10 Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 |
|
11 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision |
|
12 43780 allows context-dependent attackers to cause a denial of service |
|
13 (segmentation fault) and possibly execute arbitrary code via a string |
|
14 that is converted to a floating point value, as demonstrated using (1) |
|
15 the to_f method or (2) JSON.parse. |
|
16 |
|
17 --- ruby-1.8.7-p374-orig/util.c 2010-11-21 23:21:34.000000000 -0800 |
|
18 +++ ruby-1.8.7-p374/util.c 2013-12-02 16:58:32.995038000 -0800 |
|
19 @@ -892,6 +892,11 @@ |
|
20 #else |
|
21 #define MALLOC malloc |
|
22 #endif |
|
23 +#ifdef FREE |
|
24 +extern void FREE(void*); |
|
25 +#else |
|
26 +#define FREE free |
|
27 +#endif |
|
28 |
|
29 #ifndef Omit_Private_Memory |
|
30 #ifndef PRIVATE_MEM |
|
31 @@ -1176,7 +1181,7 @@ |
|
32 #endif |
|
33 |
|
34 ACQUIRE_DTOA_LOCK(0); |
|
35 - if ((rv = freelist[k]) != 0) { |
|
36 + if (k <= Kmax && (rv = freelist[k]) != 0) { |
|
37 freelist[k] = rv->next; |
|
38 } |
|
39 else { |
|
40 @@ -1186,7 +1191,7 @@ |
|
41 #else |
|
42 len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1) |
|
43 /sizeof(double); |
|
44 - if (pmem_next - private_mem + len <= PRIVATE_mem) { |
|
45 + if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) { |
|
46 rv = (Bigint*)pmem_next; |
|
47 pmem_next += len; |
|
48 } |
|
49 @@ -1205,6 +1210,10 @@ |
|
50 Bfree(Bigint *v) |
|
51 { |
|
52 if (v) { |
|
53 + if (v->k > Kmax) { |
|
54 + FREE(v); |
|
55 + return; |
|
56 + } |
|
57 ACQUIRE_DTOA_LOCK(0); |
|
58 v->next = freelist[v->k]; |
|
59 freelist[v->k] = v; |
|
60 @@ -2200,6 +2209,7 @@ |
|
61 for (; c >= '0' && c <= '9'; c = *++s) { |
|
62 have_dig: |
|
63 nz++; |
|
64 + if (nf > DBL_DIG * 4) continue; |
|
65 if (c -= '0') { |
|
66 nf += nz; |
|
67 for (i = 1; i < nz; i++) |
|