Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff -Naur ruby-1.8.6-p114/array.c ruby-1.8.6-p114.1/array.c
- --- ruby-1.8.6-p114/array.c 2007-09-07 03:46:40.000000000 -0400
- +++ ruby-1.8.6-p114.1/array.c 2008-07-18 09:43:28.000000000 -0400
- @@ -20,6 +20,7 @@
- static ID id_cmp;
- #define ARY_DEFAULT_SIZE 16
- +#define ARY_MAX_SIZE (LONG_MAX / sizeof(VALUE))
- void
- rb_mem_clear(mem, size)
- @@ -367,7 +368,7 @@
- new_capa = ARY_DEFAULT_SIZE;
- }
- new_capa += idx;
- - if (new_capa * (long)sizeof(VALUE) <= new_capa) {
- + if (new_capa < 0 || new_capa > LONG_MAX / sizeof(VALUE)) {
- rb_raise(rb_eArgError, "index too big");
- }
- REALLOC_N(RARRAY(ary)->ptr, VALUE, new_capa);
- @@ -976,6 +977,9 @@
- if (beg >= RARRAY(ary)->len) {
- len = beg + rlen;
- + if (len < 0 || len > LONG_MAX / sizeof(VALUE)) {
- + rb_raise(rb_eIndexError, "index %ld too big", beg);
- + }
- if (len >= RARRAY(ary)->aux.capa) {
- REALLOC_N(RARRAY(ary)->ptr, VALUE, len);
- RARRAY(ary)->aux.capa = len;
- @@ -2265,6 +2269,9 @@
- break;
- }
- rb_ary_modify(ary);
- + if (beg >= ARY_MAX_SIZE || len > ARY_MAX_SIZE - beg) {
- + rb_raise(rb_eArgError, "argument too big");
- + }
- end = beg + len;
- if (end < 0) {
- rb_raise(rb_eArgError, "argument too big");
- diff -Naur ruby-1.8.6-p114/string.c ruby-1.8.6-p114.1/string.c
- --- ruby-1.8.6-p114/string.c 2007-09-07 03:40:27.000000000 -0400
- +++ ruby-1.8.6-p114.1/string.c 2008-07-18 09:43:28.000000000 -0400
- @@ -458,10 +458,9 @@
- VALUE *argv;
- if (TYPE(arg) == T_ARRAY) {
- - argv = ALLOCA_N(VALUE, RARRAY(arg)->len + 1);
- - argv[0] = str;
- - MEMCPY(argv+1, RARRAY(arg)->ptr, VALUE, RARRAY(arg)->len);
- - return rb_f_sprintf(RARRAY(arg)->len+1, argv);
- + argv = rb_ary_dup(arg);
- + rb_ary_unshift(argv, str);
- + return rb_f_sprintf(RARRAY(arg)->len+1, RARRAY(argv)->ptr);
- }
- argv = ALLOCA_N(VALUE, 2);
- @@ -780,6 +779,9 @@
- capa = RSTRING(str)->aux.capa;
- }
- len = RSTRING(str)->len+RSTRING(str2)->len;
- + if (len < 0 || (capa+1) > LONG_MAX / 2) {
- + rb_raise(rb_eArgError, "string sizes too big");
- + }
- if (capa <= len) {
- while (len > capa) {
- capa = (capa + 1) * 2;
Add Comment
Please, Sign In to add comment