From 8e2ed0b9d965a526b29f9dc3bff8e9fe33dae98d Mon Sep 17 00:00:00 2001 From: usa Date: Tue, 12 Apr 2022 11:49:45 +0000 Subject: [PATCH] Fix CVE-2022-28739 Buffer overrun in str2float. CVE-2022-28739: Buffer overrun in String-to-Float conversion Backported from upstream Ruby 2.6.10, Git commit: https://github.com/ruby/ruby/commit/69f9992ed41920389d4185141a14f02f89a4d306 ==== Original commit message Fix dtoa buffer overrun git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67957 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- test/ruby/test_float.rb | 18 ++++++++++++++++++ util.c | 3 ++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/test/ruby/test_float.rb b/test/ruby/test_float.rb index 7fabfd3..78c63c2 100644 --- a/test/ruby/test_float.rb +++ b/test/ruby/test_float.rb @@ -171,6 +171,24 @@ class TestFloat < Test::Unit::TestCase assert_raise(ArgumentError, n += z + "A") {Float(n)} assert_raise(ArgumentError, n += z + ".0") {Float(n)} end + + x = nil + 2000.times do + x = Float("0x"+"0"*30) + break unless x == 0.0 + end + assert_equal(0.0, x, ->{"%a" % x}) + x = nil + 2000.times do + begin + x = Float("0x1."+"0"*270) + rescue ArgumentError => e + raise unless /"0x1\.0{270}"/ =~ e.message + else + break + end + end + assert_nil(x, ->{"%a" % x}) end def test_divmod diff --git a/util.c b/util.c index 2222744..f1d910f 100644 --- a/util.c +++ b/util.c @@ -2046,6 +2046,7 @@ break2: if (!*++s || !(s1 = strchr(hexdigit, *s))) goto ret0; if (*s == '0') { while (*++s == '0'); + if (!*s) goto ret; s1 = strchr(hexdigit, *s); } if (s1 != NULL) { @@ -2068,7 +2069,7 @@ break2: for (; *s && (s1 = strchr(hexdigit, *s)); ++s) { adj += aadj * ((s1 - hexdigit) & 15); if ((aadj /= 16) == 0.0) { - while (strchr(hexdigit, *++s)); + while (*++s && strchr(hexdigit, *s)); break; } } -- 2.41.0