From: "vpereira (Victor Pereira)" <vpereira@...>
Date: 2013-11-28T02:09:55+09:00
Subject: [ruby-core:58646] [ruby-trunk - Bug #9157] rb_readlink() calls	rb_str_modify_expand() too early


Issue #9157 has been updated by vpereira (Victor Pereira).


does it deserves a CVE?
----------------------------------------
Bug #9157: rb_readlink() calls rb_str_modify_expand() too early
https://bugs.ruby-lang.org/issues/9157#change-43214

Author: nowacki (Maciek Nowacki)
Status: Closed
Priority: Normal
Assignee: 
Category: core
Target version: current: 2.1.0
ruby -v: ruby 2.0.0p353 (2013-11-22) [x86_64-linux]
Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED


If rb_readlink() (file.c) is called on a long symlink, Ruby tends to crash. This is present in -trunk. The problem is that the rb_str_modify_expand() statement is incorrectly placed before the statement 'size*=2'. Here is a patch:

--- -	2013-11-25 22:10:59.694183795 -0700
+++ file.c	2013-11-25 22:10:03.076352889 -0700
@@ -2529,8 +2529,8 @@
	    || (rv < 0 && errno == ERANGE) /* quirky behavior of GPFS */
#endif
	) {
-	rb_str_modify_expand(v, size);
	size *= 2;
+	rb_str_modify_expand(v, size);
   }
   if (rv < 0) {
	rb_str_resize(v, 0);


-- 
http://bugs.ruby-lang.org/