From 50a34637a4bdd64a709937f09c839195a2b1d967 Mon Sep 17 00:00:00 2001 From: Yusuke Endoh Date: Fri, 29 Nov 2024 02:16:39 +0900 Subject: [PATCH] Avoid illegal pointer When loading a crafted marshal data of Random, a pointer to an illegal address was created. I don't think there is any harm since the data is normalized before access, but just to be safe, I add a check to make it an error. --- random.c | 2 +- test/ruby/test_rand.rb | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/random.c b/random.c index 3619ad6e6e..9f9014cf7c 100644 --- a/random.c +++ b/random.c @@ -895,7 +895,7 @@ rand_mt_load(VALUE obj, VALUE dump) sizeof(*mt->state), 0, INTEGER_PACK_LSWORD_FIRST|INTEGER_PACK_NATIVE_BYTE_ORDER); x = NUM2ULONG(left); - if (x > numberof(mt->state)) { + if (x > numberof(mt->state) || x == 0) { rb_raise(rb_eArgError, "wrong value"); } mt->left = (unsigned int)x; diff --git a/test/ruby/test_rand.rb b/test/ruby/test_rand.rb index a4beffd689..f177664943 100644 --- a/test/ruby/test_rand.rb +++ b/test/ruby/test_rand.rb @@ -434,4 +434,9 @@ class TestRand < Test::Unit::TestCase # probability of failure <= 1/256**8 assert_operator(size.fdiv(n), :>, 15) end + + def test_broken_marshal + assert_raise(ArgumentError) { Marshal.load("\x04\bU:\vRandom" + Marshal.dump([1,0,1])[2..]) } + assert_raise(ArgumentError) { Marshal.load("\x04\bU:\vRandom" + Marshal.dump([1,-1,1])[2..]) } + end end