From 8f782fd8e181d9cfe9387ded43a5ca9692266b85 Mon Sep 17 00:00:00 2001 From: Florian Frank Date: Thu, 2 Mar 2017 12:12:33 +0100 Subject: [PATCH] Fix arbitrary heap exposure problem Upstream-Status: Backport CVE: CVE-2017-14064 Signed-off-by: Rajkumar Veer --- ext/json/ext/generator/generator.c | 12 ++++++------ ext/json/ext/generator/generator.h | 1 - 2 files changed, 6 insertions(+), 7 deletions(-) --- a/ext/json/generator/generator.c +++ b/ext/json/generator/generator.c @@ -301,7 +301,7 @@ char *result; if (len <= 0) return NULL; result = ALLOC_N(char, len); - memccpy(result, ptr, 0, len); + memcpy(result, ptr, len); return result; } @@ -1055,7 +1055,7 @@ } } else { if (state->indent) ruby_xfree(state->indent); - state->indent = strdup(RSTRING_PTR(indent)); + state->indent = fstrndup(RSTRING_PTR(indent), len); state->indent_len = len; } return Qnil; @@ -1093,7 +1093,7 @@ } } else { if (state->space) ruby_xfree(state->space); - state->space = strdup(RSTRING_PTR(space)); + state->space = fstrndup(RSTRING_PTR(space), len); state->space_len = len; } return Qnil; @@ -1129,7 +1129,7 @@ } } else { if (state->space_before) ruby_xfree(state->space_before); - state->space_before = strdup(RSTRING_PTR(space_before)); + state->space_before = fstrndup(RSTRING_PTR(space_before), len); state->space_before_len = len; } return Qnil; @@ -1166,7 +1166,7 @@ } } else { if (state->object_nl) ruby_xfree(state->object_nl); - state->object_nl = strdup(RSTRING_PTR(object_nl)); + state->object_nl = fstrndup(RSTRING_PTR(object_nl), len); state->object_nl_len = len; } return Qnil; @@ -1201,7 +1201,7 @@ } } else { if (state->array_nl) ruby_xfree(state->array_nl); - state->array_nl = strdup(RSTRING_PTR(array_nl)); + state->array_nl = fstrndup(RSTRING_PTR(array_nl), len); state->array_nl_len = len; } return Qnil; --- a/ext/json/generator/generator.h +++ b/ext/json/generator/generator.h @@ -1,7 +1,6 @@ #ifndef _GENERATOR_H_ #define _GENERATOR_H_ -#include #include #include