merge revision(s) 54105,54108,54136,54138: [Backport ruby#12188]

unak · unak · commit 477c282a079a · 2016-03-25T09:19:56.000Z
* marshal.c (r_object0): Fix Marshal crash for corrupt extended object.

	* marshal.c (r_object0):  raise ArgumentError when linking to undefined
	  object.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_1@54274 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,12 @@
+Fri Mar 25 18:18:29 2016  Eric Hodel  <drbrain@segment7.net>
+
+	* marshal.c (r_object0):  raise ArgumentError when linking to undefined
+	  object.
+
+Fri Mar 25 18:18:29 2016  Eric Hodel  <drbrain@segment7.net>
+
+	* marshal.c (r_object0): Fix Marshal crash for corrupt extended object.
+
 Fri Mar 25 18:07:48 2016  Yutaka Kanemoto  <kanemoto@ruby-lang.org>
 
 	* cont.c (rb_fiber_struct): keep context.uc_stack.ss_sp and context.uc_stack.ss_size
diff --git a/marshal.c b/marshal.c
@@ -1515,6 +1515,7 @@ r_object0(struct load_arg *arg, int *ivp, VALUE extmod)
 	{
 	    VALUE path = r_unique(arg);
 	    VALUE m = rb_path_to_class(path);
+	    if (NIL_P(extmod)) extmod = rb_ary_tmp_new(0);
 
 	    if (RB_TYPE_P(m, T_CLASS)) { /* prepended */
 		VALUE c;
@@ -1534,7 +1535,6 @@ r_object0(struct load_arg *arg, int *ivp, VALUE extmod)
 	    }
 	    else {
 		must_be_module(m, path);
-		if (NIL_P(extmod)) extmod = rb_ary_tmp_new(0);
 		rb_ary_push(extmod, m);
 
 		v = r_object0(arg, 0, extmod);
@@ -1894,6 +1894,11 @@ r_object0(struct load_arg *arg, int *ivp, VALUE extmod)
 	rb_raise(rb_eArgError, "dump format error(0x%x)", type);
 	break;
     }
+
+    if (v == Qundef) {
+	rb_raise(rb_eArgError, "dump format error (bad link)");
+    }
+
     return v;
 }
 
diff --git a/test/ruby/test_marshal.rb b/test/ruby/test_marshal.rb
@@ -1,5 +1,6 @@
 require 'test/unit'
 require 'tempfile'
+require_relative 'envutil'
 require_relative 'marshaltestlib'
 
 class TestMarshal < Test::Unit::TestCase
@@ -612,4 +613,22 @@ def test_marshal_honor_post_proc_value_for_link
     obj = [str, str]
     assert_equal(['X', 'X'], Marshal.load(Marshal.dump(obj), ->(v) { v == str ? v.upcase : v }))
   end
+
+  def test_marshal_load_extended_class_crash
+    crash = "\x04\be:\x0F\x00omparableo:\vObject\x00"
+
+    opt = %w[--disable=gems]
+    assert_ruby_status(opt, "Marshal.load(#{crash.dump})")
+  end
+
+  def test_marshal_load_r_prepare_reference_crash
+    crash = "\x04\bI/\x05\x00\x06:\x06E{\x06@\x05T"
+
+    opt = %w[--disable=gems]
+    assert_separately(opt, <<-RUBY)
+      assert_raise_with_message(ArgumentError, /bad link/) do
+        Marshal.load(#{crash.dump})
+      end
+    RUBY
+  end
 end
diff --git a/version.h b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.1.9"
 #define RUBY_RELEASE_DATE "2016-03-25"
-#define RUBY_PATCHLEVEL 471
+#define RUBY_PATCHLEVEL 472
 
 #define RUBY_RELEASE_YEAR 2016
 #define RUBY_RELEASE_MONTH 3

Original file line number	Diff line number	Diff line change
`@@ -1515,6 +1515,7 @@ r_object0(struct load_arg arg, int ivp, VALUE extmod)`
`1515`	`1515`	`{`
`1516`	`1516`	`VALUE path = r_unique(arg);`
`1517`	`1517`	`VALUE m = rb_path_to_class(path);`
	`1518`	`+ if (NIL_P(extmod)) extmod = rb_ary_tmp_new(0);`
`1518`	`1519`
`1519`	`1520`	`if (RB_TYPE_P(m, T_CLASS)) { /* prepended */`
`1520`	`1521`	`VALUE c;`
`@@ -1534,7 +1535,6 @@ r_object0(struct load_arg arg, int ivp, VALUE extmod)`
`1534`	`1535`	`}`
`1535`	`1536`	`else {`
`1536`	`1537`	`must_be_module(m, path);`
`1537`		`- if (NIL_P(extmod)) extmod = rb_ary_tmp_new(0);`
`1538`	`1538`	`rb_ary_push(extmod, m);`
`1539`	`1539`
`1540`	`1540`	`v = r_object0(arg, 0, extmod);`
`@@ -1894,6 +1894,11 @@ r_object0(struct load_arg arg, int ivp, VALUE extmod)`
`1894`	`1894`	`rb_raise(rb_eArgError, "dump format error(0x%x)", type);`
`1895`	`1895`	`break;`
`1896`	`1896`	`}`
	`1897`	`+`
	`1898`	`+ if (v == Qundef) {`
	`1899`	`+ rb_raise(rb_eArgError, "dump format error (bad link)");`
	`1900`	`+ }`
	`1901`	`+`
`1897`	`1902`	`return v;`
`1898`	`1903`	`}`
`1899`	`1904`