Add patch to fix heap overflow in floating point parser (CVE-2013-4164).

2013-11-24 02:27:08 +00:00 · 2013-11-24 02:27:08 +00:00 · fdb5f3d307
commit fdb5f3d307
parent f406295617
2 changed files with 58 additions and 1 deletions
--- a/lang/ruby/1.8/Makefile
+++ b/lang/ruby/1.8/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.28 2013/07/17 15:48:25 jeremy Exp $
+# $OpenBSD: Makefile,v 1.29 2013/11/24 02:27:08 jeremy Exp $

 COMMENT-main=		object oriented script language with threads
 COMMENT-iconv=		libiconv interface for ruby
@ -19,6 +19,8 @@ PKGNAME-ri_docs=	ruby-ri_docs-${VERSION}.${PATCHLEVEL}
 PKG_ARCH-ri_docs=	*
 PKGSPEC-main=		ruby->=1.8,<1.9

+REVISION-main=		0
+
 CONFIGURE_ARGS=		--program-suffix=18 \
 			--enable-ipv6 \
 			--with-dbm-type=bogus \
--- a/lang/ruby/1.8/patches/patch-util_c
+++ b/lang/ruby/1.8/patches/patch-util_c
@ -0,0 +1,55 @@
+$OpenBSD: patch-util_c,v 1.1 2013/11/24 02:27:08 jeremy Exp $
+
+Backport r43776 and r43782 from Ruby SVN to fix CVE-2013-4164.
+
+--- util.c.orig	Sun Nov 21 23:21:34 2010
+++ util.c	Thu Nov 21 22:40:16 2013
+@@ -892,6 +892,11 @@ extern void *MALLOC(size_t);
+ #else
+ #define MALLOC malloc
+ #endif
+#ifdef FREE
+extern void FREE(void*);
+#else
+#define FREE free
+#endif
+ 
+ #ifndef Omit_Private_Memory
+ #ifndef PRIVATE_MEM
+@@ -1176,7 +1181,7 @@ Balloc(int k)
+ #endif
+ 
+     ACQUIRE_DTOA_LOCK(0);
+-    if ((rv = freelist[k]) != 0) {
+    if (k <= Kmax && (rv = freelist[k]) != 0) {
+         freelist[k] = rv->next;
+     }
+     else {
+@@ -1186,7 +1191,7 @@ Balloc(int k)
+ #else
+         len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
+                 /sizeof(double);
+-        if (pmem_next - private_mem + len <= PRIVATE_mem) {
+        if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
+             rv = (Bigint*)pmem_next;
+             pmem_next += len;
+         }
+@@ -1205,6 +1210,10 @@ static void
+ Bfree(Bigint *v)
+ {
+     if (v) {
+        if (v->k > Kmax) {
+            FREE(v);
+            return;
+        }
+         ACQUIRE_DTOA_LOCK(0);
+         v->next = freelist[v->k];
+         freelist[v->k] = v;
+@@ -2200,6 +2209,7 @@ break2:
+         for (; c >= '0' && c <= '9'; c = *++s) {
+ have_dig:
+             nz++;
+            if (nf > DBL_DIG * 4) continue;
+             if (c -= '0') {
+                 nf += nz;
+                 for (i = 1; i < nz; i++)