merge revision(s) 54105,54108,54136,54138: [Backport #12188]

* marshal.c (r_object0): Fix Marshal crash for corrupt extended object. * marshal.c (r_object0): raise ArgumentError when linking to undefined object. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@54333 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2025-09-17 09:33:59 +02:00 · 2016-03-28 16:23:40 +00:00 · 2016-03-28 16:23:40 +00:00 · af8c7c602b
commit af8c7c602b
parent 1d3af7a3fc
4 changed files with 34 additions and 2 deletions
--- a/9
+++ b/9
@ -1,3 +1,12 @@
+Tue Mar 29 01:22:39 2016  Eric Hodel  <drbrain@segment7.net>
+
+	* marshal.c (r_object0):  raise ArgumentError when linking to undefined
+	  object.
+
+Tue Mar 29 01:22:39 2016  Eric Hodel  <drbrain@segment7.net>
+
+	* marshal.c (r_object0): Fix Marshal crash for corrupt extended object.
+
 Tue Mar 29 01:20:37 2016  Eric Wong  <e@80x24.org>

 	* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): document as MT-unsafe
--- a/marshal.c
+++ b/marshal.c
@ -1582,6 +1582,7 @@ r_object0(struct load_arg *arg, int *ivp, VALUE extmod)
 	{
 	    VALUE path = r_unique(arg);
 	    VALUE m = rb_path_to_class(path);
+	    if (NIL_P(extmod)) extmod = rb_ary_tmp_new(0);

 	    if (RB_TYPE_P(m, T_CLASS)) { /* prepended */
 		VALUE c;
@ -1601,7 +1602,6 @@ r_object0(struct load_arg *arg, int *ivp, VALUE extmod)
 	    }
 	    else {
 		must_be_module(m, path);
-		if (NIL_P(extmod)) extmod = rb_ary_tmp_new(0);
 		rb_ary_push(extmod, m);

 		v = r_object0(arg, 0, extmod);
@ -1962,6 +1962,11 @@ r_object0(struct load_arg *arg, int *ivp, VALUE extmod)
 	rb_raise(rb_eArgError, "dump format error(0x%x)", type);
 	break;
    }
+
+    if (v == Qundef) {
+	rb_raise(rb_eArgError, "dump format error (bad link)");
+    }
+
    return v;
 }

--- a/test/ruby/test_marshal.rb
+++ b/test/ruby/test_marshal.rb
@ -653,4 +653,22 @@ class TestMarshal < Test::Unit::TestCase
    obj = [str, str]
    assert_equal(['X', 'X'], Marshal.load(Marshal.dump(obj), ->(v) { v == str ? v.upcase : v }))
  end
+
+  def test_marshal_load_extended_class_crash
+    crash = "\x04\be:\x0F\x00omparableo:\vObject\x00"
+
+    opt = %w[--disable=gems]
+    assert_ruby_status(opt, "Marshal.load(#{crash.dump})")
+  end
+
+  def test_marshal_load_r_prepare_reference_crash
+    crash = "\x04\bI/\x05\x00\x06:\x06E{\x06@\x05T"
+
+    opt = %w[--disable=gems]
+    assert_separately(opt, <<-RUBY)
+      assert_raise_with_message(ArgumentError, /bad link/) do
+        Marshal.load(#{crash.dump})
+      end
+    RUBY
+  end
 end
--- a/version.h
+++ b/version.h
@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.2.5"
 #define RUBY_RELEASE_DATE "2016-03-29"
-#define RUBY_PATCHLEVEL 275
+#define RUBY_PATCHLEVEL 276

 #define RUBY_RELEASE_YEAR 2016
 #define RUBY_RELEASE_MONTH 3