From aea59ebcf8fdcc7acf839ff9322c697326d224ba Mon Sep 17 00:00:00 2001 From: Tilman Sauerbeck Date: Wed, 29 Jun 2005 16:50:47 +0000 Subject: [PATCH] Properly check for an integer overflow in Chunk#initialize. An overflow can occur when we compute the total buffer size. --- ChangeLog | 4 +++- ext/ext.c | 11 +++++++---- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc3572d..aa269dc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,5 @@ -- -$Id: ChangeLog 67 2005-06-29 15:44:09Z tilman $ +$Id: ChangeLog 68 2005-06-29 16:50:47Z tilman $ ++ 2005-06-29 Tilman Sauerbeck (tilman at code-monkey de) @@ -7,6 +7,8 @@ $Id: ChangeLog 67 2005-06-29 15:44:09Z tilman $ global variable * ext/ext.c: Remove unneeded StringValue() calls in chunk_serialize() + * ext/ext.c: Properly check for an integer overflow when + computing the total buffer size in Chunk#initialize 2005-06-28 Tilman Sauerbeck (tilman at code-monkey de) * ext/ext.c: Removed stray backslash diff --git a/ext/ext.c b/ext/ext.c index 63096a7..12b8500 100644 --- a/ext/ext.c +++ b/ext/ext.c @@ -1,5 +1,5 @@ /* - * $Id: ext.c 67 2005-06-29 15:44:09Z tilman $ + * $Id: ext.c 68 2005-06-29 16:50:47Z tilman $ * * Copyright (c) 2005 Tilman Sauerbeck (tilman at code-monkey de) * @@ -467,7 +467,7 @@ stream_serialize (VALUE self) static VALUE chunk_init (VALUE self, VALUE tag, VALUE data) { - unsigned long len; + long tag_len, data_len, tmp; StringValue (tag); StringValue (data); @@ -478,8 +478,11 @@ chunk_init (VALUE self, VALUE tag, VALUE data) /* libeet uses a signed 32bit integer to store the * chunk size, so make sure we don't overflow it */ - len = RSTRING (tag)->len + 1 + RSTRING (data)->len; - if (len < 0 || len >= 2147483647L) + tag_len = RSTRING (tag)->len; + data_len = RSTRING (data)->len; + tmp = tag_len + 1 + data_len; + + if (tmp < tag_len || tmp < data_len || tmp < 1 || tmp >= 2147483647L) rb_raise (rb_eArgError, "tag or data too long"); rb_ivar_set (self, id_tag, rb_str_dup_frozen (tag)); -- 2.30.2