From 180f39bf4c5246ff77ef71011a75e7669019afab Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Tue, 31 Jul 2018 16:14:18 +0900 Subject: Check size of the integer multiply before actual overflow; fix #4062 --- mrbgems/mruby-sprintf/src/sprintf.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'mrbgems/mruby-sprintf/src/sprintf.c') diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c index 7eea1a1f3..738c5485f 100644 --- a/mrbgems/mruby-sprintf/src/sprintf.c +++ b/mrbgems/mruby-sprintf/src/sprintf.c @@ -119,13 +119,11 @@ mrb_fix2binstr(mrb_state *mrb, mrb_value x, int base) #define FPREC0 128 #define CHECK(l) do {\ -/* int cr = ENC_CODERANGE(result);*/\ while ((l) >= bsiz - blen) {\ + if (bsiz > MRB_INT_MAX/2) mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier"); \ bsiz*=2;\ - if (bsiz < 0) mrb_raise(mrb, E_ARGUMENT_ERROR, "too big specifier"); \ }\ mrb_str_resize(mrb, result, bsiz);\ -/* ENC_CODERANGE_SET(result, cr);*/\ buf = RSTRING_PTR(result);\ } while (0) @@ -202,11 +200,10 @@ check_name_arg(mrb_state *mrb, int posarg, const char *name, mrb_int len) #define GETNUM(n, val) \ for (; p < end && ISDIGIT(*p); p++) {\ - mrb_int next_n = 10 * n + (*p - '0'); \ - if (next_n / 10 != n) {\ + if (n > MRB_INT_MAX/10) {\ mrb_raise(mrb, E_ARGUMENT_ERROR, #val " too big"); \ } \ - n = next_n; \ + n = 10 * n + (*p - '0'); \ } \ if (p >= end) { \ mrb_raise(mrb, E_ARGUMENT_ERROR, "malformed format string - %*[0-9]"); \ -- cgit v1.2.3 From 625976d7931006bae7e960e561ecdaccb0cb6a28 Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Fri, 7 Sep 2018 03:16:44 +0900 Subject: Fix integer overflow issue; fix #4108 I misunderstood the return value from `snprintf()`, which is NOT number of characters written in buffer, but the number of character the buffer has to have to write the complete output. --- mrbgems/mruby-sprintf/src/sprintf.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'mrbgems/mruby-sprintf/src/sprintf.c') diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c index 738c5485f..ea127c574 100644 --- a/mrbgems/mruby-sprintf/src/sprintf.c +++ b/mrbgems/mruby-sprintf/src/sprintf.c @@ -1057,17 +1057,21 @@ retry: need = BIT_DIGITS(i); } need += (flags&FPREC) ? prec : 6; + if (need < 0) { + too_big_width: + mrb_raise(mrb, E_ARGUMENT_ERROR, + (width > prec ? "width too big" : "prec too big")); + } if ((flags&FWIDTH) && need < width) need = width; need += 20; if (need <= 0) { - mrb_raise(mrb, E_ARGUMENT_ERROR, - (width > prec ? "width too big" : "prec too big")); + goto too_big_width; } CHECK(need); n = snprintf(&buf[blen], need, fbuf, fval); - if (n < 0) { + if (n < 0 || n >= need) { mrb_raise(mrb, E_RUNTIME_ERROR, "formatting error"); } blen += n; -- cgit v1.2.3 From 2760cea4511135c30d6d9f6bb658ff86e62804d6 Mon Sep 17 00:00:00 2001 From: Clayton Smith Date: Fri, 14 Sep 2018 16:53:26 -0400 Subject: Prevent signed integer overflow. --- mrbgems/mruby-sprintf/src/sprintf.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'mrbgems/mruby-sprintf/src/sprintf.c') diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c index ea127c574..15d7b5464 100644 --- a/mrbgems/mruby-sprintf/src/sprintf.c +++ b/mrbgems/mruby-sprintf/src/sprintf.c @@ -200,7 +200,7 @@ check_name_arg(mrb_state *mrb, int posarg, const char *name, mrb_int len) #define GETNUM(n, val) \ for (; p < end && ISDIGIT(*p); p++) {\ - if (n > MRB_INT_MAX/10) {\ + if (n > (MRB_INT_MAX - (*p - '0'))/10) {\ mrb_raise(mrb, E_ARGUMENT_ERROR, #val " too big"); \ } \ n = 10 * n + (*p - '0'); \ @@ -1056,18 +1056,18 @@ retry: if (i > 0) need = BIT_DIGITS(i); } - need += (flags&FPREC) ? prec : 6; - if (need < 0) { + if (need > MRB_INT_MAX - ((flags&FPREC) ? prec : 6)) { too_big_width: mrb_raise(mrb, E_ARGUMENT_ERROR, (width > prec ? "width too big" : "prec too big")); } + need += (flags&FPREC) ? prec : 6; if ((flags&FWIDTH) && need < width) need = width; - need += 20; - if (need <= 0) { + if (need > MRB_INT_MAX - 20) { goto too_big_width; } + need += 20; CHECK(need); n = snprintf(&buf[blen], need, fbuf, fval); -- cgit v1.2.3 From 610bcc88c2b4f3ca9bbfebb57279c25806fa0461 Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Wed, 19 Sep 2018 22:53:48 +0900 Subject: Removed `to_hash` conversion method. --- mrbgems/mruby-hash-ext/mrblib/hash.rb | 30 +++++++----------------------- mrbgems/mruby-kernel-ext/src/kernel.c | 20 ++++++-------------- mrbgems/mruby-sprintf/src/sprintf.c | 2 +- mrblib/hash.rb | 14 ++++---------- src/class.c | 15 ++------------- src/hash.c | 28 ---------------------------- src/object.c | 17 +++++++++++++++++ 7 files changed, 37 insertions(+), 89 deletions(-) (limited to 'mrbgems/mruby-sprintf/src/sprintf.c') diff --git a/mrbgems/mruby-hash-ext/mrblib/hash.rb b/mrbgems/mruby-hash-ext/mrblib/hash.rb index f1143e25b..547f3404a 100644 --- a/mrbgems/mruby-hash-ext/mrblib/hash.rb +++ b/mrbgems/mruby-hash-ext/mrblib/hash.rb @@ -27,9 +27,9 @@ class Hash length = object.length if length == 1 o = object[0] - if o.respond_to?(:to_hash) + if Hash === o h = self.new - object[0].to_hash.each { |k, v| h[k] = v } + o.each { |k, v| h[k] = v } return h elsif o.respond_to?(:to_a) h = self.new @@ -82,7 +82,7 @@ class Hash # def merge!(other, &block) - raise TypeError, "can't convert argument into Hash" unless other.respond_to?(:to_hash) + raise TypeError, "Hash required (#{other.class} given)" unless Hash === other if block other.each_key{|k| self[k] = (self.has_key?(k))? block.call(k, self[k], other[k]): other[k] @@ -310,11 +310,7 @@ class Hash # h1 < h1 #=> false # def <(hash) - begin - hash = hash.to_hash - rescue NoMethodError - raise TypeError, "can't convert #{hash.class} to Hash" - end + raise TypeError, "can't convert #{hash.class} to Hash" unless Hash === hash size < hash.size and all? {|key, val| hash.key?(key) and hash[key] == val } @@ -334,11 +330,7 @@ class Hash # h1 <= h1 #=> true # def <=(hash) - begin - hash = hash.to_hash - rescue NoMethodError - raise TypeError, "can't convert #{hash.class} to Hash" - end + raise TypeError, "can't convert #{hash.class} to Hash" unless Hash === hash size <= hash.size and all? {|key, val| hash.key?(key) and hash[key] == val } @@ -358,11 +350,7 @@ class Hash # h1 > h1 #=> false # def >(hash) - begin - hash = hash.to_hash - rescue NoMethodError - raise TypeError, "can't convert #{hash.class} to Hash" - end + raise TypeError, "can't convert #{hash.class} to Hash" unless Hash === hash size > hash.size and hash.all? {|key, val| key?(key) and self[key] == val } @@ -382,11 +370,7 @@ class Hash # h1 >= h1 #=> true # def >=(hash) - begin - hash = hash.to_hash - rescue NoMethodError - raise TypeError, "can't convert #{hash.class} to Hash" - end + raise TypeError, "can't convert #{hash.class} to Hash" unless Hash === hash size >= hash.size and hash.all? {|key, val| key?(key) and self[key] == val } diff --git a/mrbgems/mruby-kernel-ext/src/kernel.c b/mrbgems/mruby-kernel-ext/src/kernel.c index 324753f6e..99affbfa4 100644 --- a/mrbgems/mruby-kernel-ext/src/kernel.c +++ b/mrbgems/mruby-kernel-ext/src/kernel.c @@ -184,9 +184,9 @@ mrb_f_array(mrb_state *mrb, mrb_value self) * call-seq: * Hash(arg) -> hash * - * Converts arg to a Hash by calling - * arg.to_hash. Returns an empty Hash when - * arg is nil or []. + * Returns a Hash if arg is a Hash. + * Returns an empty Hash when arg is nil + * or []. * * Hash([]) #=> {} * Hash(nil) #=> {} @@ -197,21 +197,13 @@ mrb_f_array(mrb_state *mrb, mrb_value self) static mrb_value mrb_f_hash(mrb_state *mrb, mrb_value self) { - mrb_value arg, tmp; + mrb_value arg; mrb_get_args(mrb, "o", &arg); - if (mrb_nil_p(arg)) { + if (mrb_nil_p(arg) || (mrb_array_p(arg) && RARRAY_LEN(arg) == 0)) { return mrb_hash_new(mrb); } - tmp = mrb_check_convert_type(mrb, arg, MRB_TT_HASH, "Hash", "to_hash"); - if (mrb_nil_p(tmp)) { - if (mrb_array_p(arg) && RARRAY_LEN(arg) == 0) { - return mrb_hash_new(mrb); - } - mrb_raisef(mrb, E_TYPE_ERROR, "can't convert %S into Hash", - mrb_str_new_cstr(mrb, mrb_obj_classname(mrb, arg))); - } - return tmp; + return mrb_ensure_hash_type(mrb, arg); } /* diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c index 15d7b5464..5a4a7899e 100644 --- a/mrbgems/mruby-sprintf/src/sprintf.c +++ b/mrbgems/mruby-sprintf/src/sprintf.c @@ -233,7 +233,7 @@ get_hash(mrb_state *mrb, mrb_value *hash, mrb_int argc, const mrb_value *argv) if (argc != 2) { mrb_raise(mrb, E_ARGUMENT_ERROR, "one hash required"); } - tmp = mrb_check_convert_type(mrb, argv[1], MRB_TT_HASH, "Hash", "to_hash"); + tmp = mrb_check_hash_type(mrb, argv[1]); if (mrb_nil_p(tmp)) { mrb_raise(mrb, E_ARGUMENT_ERROR, "one hash required"); } diff --git a/mrblib/hash.rb b/mrblib/hash.rb index 6b61218ff..609883ecb 100644 --- a/mrblib/hash.rb +++ b/mrblib/hash.rb @@ -12,9 +12,7 @@ class Hash # ISO 15.2.13.4.1 def ==(hash) return true if self.equal?(hash) - begin - hash = hash.to_hash - rescue NoMethodError + unless Hash === hash return false end return false if self.size != hash.size @@ -32,9 +30,7 @@ class Hash # ISO 15.2.13.4.32 (x) def eql?(hash) return true if self.equal?(hash) - begin - hash = hash.to_hash - rescue NoMethodError + unless Hash === hash return false end return false if self.size != hash.size @@ -153,9 +149,8 @@ class Hash # # ISO 15.2.13.4.23 def replace(hash) - raise TypeError, "can't convert argument into Hash" unless hash.respond_to?(:to_hash) + raise TypeError, "Hash required (#{hash.class} given)" unless Hash === hash self.clear - hash = hash.to_hash hash.each_key{|k| self[k] = hash[k] } @@ -178,8 +173,7 @@ class Hash # # ISO 15.2.13.4.22 def merge(other, &block) - raise TypeError, "can't convert argument into Hash" unless other.respond_to?(:to_hash) - other = other.to_hash + raise TypeError, "Hash required (#{other.class} given)" unless Hash === other h = self.dup if block other.each_key{|k| diff --git a/src/class.c b/src/class.c index 5d6ff4b39..dd5b65cc3 100644 --- a/src/class.c +++ b/src/class.c @@ -492,18 +492,6 @@ mrb_notimplement_m(mrb_state *mrb, mrb_value self) return mrb_nil_value(); } -static mrb_value -check_type(mrb_state *mrb, mrb_value val, enum mrb_vtype t, const char *c, const char *m) -{ - mrb_value tmp; - - tmp = mrb_check_convert_type(mrb, val, t, c, m); - if (mrb_nil_p(tmp)) { - mrb_raisef(mrb, E_TYPE_ERROR, "expected %S", mrb_str_new_cstr(mrb, c)); - } - return tmp; -} - #define CHECK_TYPE(mrb, val, t, c) do { \ if (mrb_type(val) != (t)) {\ mrb_raisef(mrb, E_TYPE_ERROR, "expected %S", mrb_str_new_lit(mrb, c));\ @@ -527,7 +515,8 @@ to_ary(mrb_state *mrb, mrb_value val) static mrb_value to_hash(mrb_state *mrb, mrb_value val) { - return check_type(mrb, val, MRB_TT_HASH, "Hash", "to_hash"); + CHECK_TYPE(mrb, val, MRB_TT_HASH, "Hash"); + return val; } #define to_sym(mrb, ss) mrb_obj_to_sym(mrb, ss) diff --git a/src/hash.c b/src/hash.c index f43fd901c..467b20a51 100644 --- a/src/hash.c +++ b/src/hash.c @@ -738,18 +738,6 @@ mrb_hash_set(mrb_state *mrb, mrb_value hash, mrb_value key, mrb_value val) return; } -MRB_API mrb_value -mrb_ensure_hash_type(mrb_state *mrb, mrb_value hash) -{ - return mrb_convert_type(mrb, hash, MRB_TT_HASH, "Hash", "to_hash"); -} - -MRB_API mrb_value -mrb_check_hash_type(mrb_state *mrb, mrb_value hash) -{ - return mrb_check_convert_type(mrb, hash, MRB_TT_HASH, "Hash", "to_hash"); -} - static void mrb_hash_modify(mrb_state *mrb, mrb_value hash) { @@ -1189,20 +1177,6 @@ mrb_hash_empty_m(mrb_state *mrb, mrb_value self) return mrb_bool_value(mrb_hash_empty_p(mrb, self)); } -/* 15.2.13.4.29 (x)*/ -/* - * call-seq: - * hsh.to_hash => hsh - * - * Returns +self+. - */ - -static mrb_value -mrb_hash_to_hash(mrb_state *mrb, mrb_value hash) -{ - return hash; -} - static int hash_keys_i(mrb_state *mrb, mrb_value key, mrb_value val, void *p) { @@ -1439,6 +1413,4 @@ mrb_init_hash(mrb_state *mrb) mrb_define_method(mrb, h, "value?", mrb_hash_has_value, MRB_ARGS_REQ(1)); /* 15.2.13.4.27 */ mrb_define_method(mrb, h, "values", mrb_hash_values, MRB_ARGS_NONE()); /* 15.2.13.4.28 */ mrb_define_method(mrb, h, "rehash", mrb_hash_rehash, MRB_ARGS_NONE()); - - mrb_define_method(mrb, h, "to_hash", mrb_hash_to_hash, MRB_ARGS_NONE()); /* 15.2.13.4.29 (x)*/ } diff --git a/src/object.c b/src/object.c index a105c62f0..66dfa0f97 100644 --- a/src/object.c +++ b/src/object.c @@ -623,6 +623,23 @@ mrb_check_array_type(mrb_state *mrb, mrb_value ary) return ary; } +MRB_API mrb_value +mrb_ensure_hash_type(mrb_state *mrb, mrb_value hash) +{ + if (!mrb_hash_p(hash)) { + mrb_raisef(mrb, E_TYPE_ERROR, "%S cannot be converted to Hash", + inspect_type(mrb, hash)); + } + return hash; +} + +MRB_API mrb_value +mrb_check_hash_type(mrb_state *mrb, mrb_value hash) +{ + if (!mrb_hash_p(hash)) return mrb_nil_value(); + return hash; +} + MRB_API mrb_value mrb_inspect(mrb_state *mrb, mrb_value obj) { -- cgit v1.2.3 From 9516731329a9d43b4aab57a19fb9cfc1b62f11e8 Mon Sep 17 00:00:00 2001 From: "Yukihiro \"Matz\" Matsumoto" Date: Mon, 19 Nov 2018 12:01:58 +0900 Subject: Use type checking `mrb_to_str` instead of converting `mrb_str_to_str`. --- include/mruby/string.h | 1 + mrbgems/mruby-sprintf/src/sprintf.c | 2 +- mrbgems/mruby-struct/src/struct.c | 2 +- src/error.c | 2 +- src/string.c | 18 ++++++++---------- 5 files changed, 12 insertions(+), 13 deletions(-) (limited to 'mrbgems/mruby-sprintf/src/sprintf.c') diff --git a/include/mruby/string.h b/include/mruby/string.h index fa1955f48..60db35c99 100644 --- a/include/mruby/string.h +++ b/include/mruby/string.h @@ -352,6 +352,7 @@ MRB_API double mrb_str_to_dbl(mrb_state *mrb, mrb_value str, mrb_bool badcheck); /* * Returns a converted string type. + * For type checking, non converting `mrb_to_str` is recommended. */ MRB_API mrb_value mrb_str_to_str(mrb_state *mrb, mrb_value str); diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c index 5a4a7899e..985ffe276 100644 --- a/mrbgems/mruby-sprintf/src/sprintf.c +++ b/mrbgems/mruby-sprintf/src/sprintf.c @@ -552,7 +552,7 @@ mrb_str_format(mrb_state *mrb, mrb_int argc, const mrb_value *argv, mrb_value fm ++argc; --argv; - fmt = mrb_str_to_str(mrb, fmt); + mrb_to_str(mrb, fmt); p = RSTRING_PTR(fmt); end = p + RSTRING_LEN(fmt); blen = 0; diff --git a/mrbgems/mruby-struct/src/struct.c b/mrbgems/mruby-struct/src/struct.c index b567a00d5..832583f35 100644 --- a/mrbgems/mruby-struct/src/struct.c +++ b/mrbgems/mruby-struct/src/struct.c @@ -213,7 +213,7 @@ make_struct(mrb_state *mrb, mrb_value name, mrb_value members, struct RClass *kl } else { /* old style: should we warn? */ - name = mrb_str_to_str(mrb, name); + mrb_to_str(mrb, name); id = mrb_obj_to_sym(mrb, name); if (!is_const_id(mrb, mrb_sym2name_len(mrb, id, NULL))) { mrb_name_error(mrb, id, "identifier %S needs to be constant", name); diff --git a/src/error.c b/src/error.c index 599612b97..57cdfcfe1 100644 --- a/src/error.c +++ b/src/error.c @@ -28,7 +28,7 @@ mrb_exc_new(mrb_state *mrb, struct RClass *c, const char *ptr, size_t len) MRB_API mrb_value mrb_exc_new_str(mrb_state *mrb, struct RClass* c, mrb_value str) { - str = mrb_str_to_str(mrb, str); + mrb_to_str(mrb, str); return mrb_obj_new(mrb, c, 1, &str); } diff --git a/src/string.c b/src/string.c index b6d4ecef0..287b4dcbb 100644 --- a/src/string.c +++ b/src/string.c @@ -748,9 +748,7 @@ mrb_str_to_cstr(mrb_state *mrb, mrb_value str0) MRB_API void mrb_str_concat(mrb_state *mrb, mrb_value self, mrb_value other) { - if (!mrb_string_p(other)) { - other = mrb_str_to_str(mrb, other); - } + other = mrb_str_to_str(mrb, other); mrb_str_cat_str(mrb, self, other); } @@ -993,15 +991,15 @@ mrb_str_to_str(mrb_state *mrb, mrb_value str) MRB_API const char* mrb_string_value_ptr(mrb_state *mrb, mrb_value ptr) { - mrb_value str = mrb_str_to_str(mrb, ptr); - return RSTRING_PTR(str); + mrb_to_str(mrb, ptr); + return RSTRING_PTR(ptr); } MRB_API mrb_int mrb_string_value_len(mrb_state *mrb, mrb_value ptr) { - mrb_value str = mrb_str_to_str(mrb, ptr); - return RSTRING_LEN(str); + mrb_to_str(mrb, ptr); + return RSTRING_LEN(ptr); } void @@ -2183,7 +2181,7 @@ mrb_cstr_to_inum(mrb_state *mrb, const char *str, int base, int badcheck) MRB_API const char* mrb_string_value_cstr(mrb_state *mrb, mrb_value *ptr) { - mrb_value str = mrb_str_to_str(mrb, *ptr); + mrb_value str = mrb_to_str(mrb, *ptr); struct RString *ps = mrb_str_ptr(str); mrb_int len = mrb_str_strlen(mrb, ps); char *p = RSTR_PTR(ps); @@ -2313,7 +2311,7 @@ mrb_str_to_dbl(mrb_state *mrb, mrb_value str, mrb_bool badcheck) char *s; mrb_int len; - str = mrb_str_to_str(mrb, str); + mrb_to_str(mrb, str); s = RSTRING_PTR(str); len = RSTRING_LEN(str); if (s) { @@ -2600,7 +2598,7 @@ mrb_str_cat_str(mrb_state *mrb, mrb_value str, mrb_value str2) MRB_API mrb_value mrb_str_append(mrb_state *mrb, mrb_value str1, mrb_value str2) { - str2 = mrb_str_to_str(mrb, str2); + mrb_to_str(mrb, str2); return mrb_str_cat_str(mrb, str1, str2); } -- cgit v1.2.3