Fix buffer overrun in String-to-Float conversion.

Backported from upstream Ruby 2.6.10: <69f9992ed4> Resolves: CVE-2022-28739
2023-06-12 20:08:04 +02:00 · 2023-06-12 20:08:04 +02:00 · 446d49ffd1
commit 446d49ffd1
parent 064a52cca5
2 changed files with 80 additions and 0 deletions
--- a/ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
+++ b/ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
@ -0,0 +1,73 @@
 From 8e2ed0b9d965a526b29f9dc3bff8e9fe33dae98d Mon Sep 17 00:00:00 2001
 From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
 Date: Tue, 12 Apr 2022 11:49:45 +0000
 Subject: [PATCH] Fix CVE-2022-28739 Buffer overrun in str2float.
 CVE-2022-28739: Buffer overrun in String-to-Float conversion
 Backported from upstream Ruby 2.6.10,
 Git commit:
 https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306
 ==== Original commit message
 Fix dtoa buffer overrun
 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67957 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
 ---
 test/ruby/test_float.rb | 18 ++++++++++++++++++
 util.c                  |  3 ++-
 2 files changed, 20 insertions(+), 1 deletion(-)
 diff --git a/test/ruby/test_float.rb b/test/ruby/test_float.rb
 index 7fabfd3..78c63c2 100644
 --- a/test/ruby/test_float.rb
 +++ b/test/ruby/test_float.rb
@@ -171,6 +171,24 @@ class TestFloat < Test::Unit::TestCase
       assert_raise(ArgumentError, n += z + "A") {Float(n)}
       assert_raise(ArgumentError, n += z + ".0") {Float(n)}
     end
 +
 +    x = nil
 +    2000.times do
 +      x = Float("0x"+"0"*30)
 +      break unless x == 0.0
 +    end
 +    assert_equal(0.0, x, ->{"%a" % x})
 +    x = nil
 +    2000.times do
 +      begin
 +        x = Float("0x1."+"0"*270)
 +      rescue ArgumentError => e
 +        raise unless /"0x1\.0{270}"/ =~ e.message
 +      else
 +        break
 +      end
 +    end
 +    assert_nil(x, ->{"%a" % x})
   end
   def test_divmod
 diff --git a/util.c b/util.c
 index 2222744..f1d910f 100644
 --- a/util.c
 +++ b/util.c
@@ -2046,6 +2046,7 @@ break2:
 	    if (!*++s || !(s1 = strchr(hexdigit, *s))) goto ret0;
 	    if (*s == '0') {
 		while (*++s == '0');
 +		if (!*s) goto ret;
 		s1 = strchr(hexdigit, *s);
 	    }
 	    if (s1 != NULL) {
@@ -2068,7 +2069,7 @@ break2:
 		for (; *s && (s1 = strchr(hexdigit, *s)); ++s) {
 		    adj += aadj * ((s1 - hexdigit) & 15);
 		    if ((aadj /= 16) == 0.0) {
 -			while (strchr(hexdigit, *++s));
 +			while (*++s && strchr(hexdigit, *s));
 			break;
 		    }
 		}
 -- 
 2.41.0
--- a/ruby.spec
+++ b/ruby.spec
@ -216,6 +216,10 @@ Patch38: ruby-2.7.7-Fix-CVE-2021-33621-HTTP-response-splitting-in-CGI.patch
 # to retain compatibility.
 # https://github.com/ruby/cgi/commit/5e09d632f3b56d85b2659ab47d5571ae9e270e10
 Patch39: rubygem-cgi-0.3.6-Loosen-the-domain-regex-to-accept-dot.patch
 # CVE-2022-28739: Buffer overrun in String-to-Float conversion.
 # Backported from:
 # https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306
 Patch40: ruby-2.6.10-Fix-CVE-2022-28739-Buffer-overrun-in-str2float.patch
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -626,6 +630,7 @@ sed -i 's/"evaluation\/incorrect_words.yaml"\.freeze, //' \
 %patch37 -p1
 %patch38 -p1
 %patch39 -p1
 %patch40 -p1
 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1181,6 +1186,8 @@ OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file OPENSSL_CONF='' \
 * Mon Jun 12 2023 Jarek Prokop <jprokop@redhat.com> - 2.5.9-111
 - Fix HTTP response splitting in CGI.
  Resolves: CVE-2021-33621
 - Fix Buffer overrun in String-to-Float conversion.
  Resolves: CVE-2022-28739
 * Thu May 25 2023 Todd Zullinger <tmz@pobox.com> - 2.5.9-111
 - Fix rdoc parsing of nil text tokens.