From 015988758baf24d97c05878255a7c57c622cb115 Mon Sep 17 00:00:00 2001
From: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>
Date: Thu, 28 Mar 2024 16:17:02 +1100
Subject: [PATCH 1/2] Add an implementation of strndup to missing/

Visual studio doesn't seem to have it. I copied the implementation from
OpenBSD, since there are other OpenBSD string functions in missing/ and
they are appropriately licensed.
---
 configure.ac           |  1 +
 include/ruby/missing.h |  4 ++++
 missing/strndup.c      | 39 +++++++++++++++++++++++++++++++++++++++
 win32/Makefile.sub     |  2 +-
 4 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 missing/strndup.c

diff --git a/configure.ac b/configure.ac
index 530c073764caa2..76ac9bd6a2ce0a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2013,6 +2013,7 @@ AC_REPLACE_FUNCS(strchr)
 AC_REPLACE_FUNCS(strerror)
 AC_REPLACE_FUNCS(strlcat)
 AC_REPLACE_FUNCS(strlcpy)
+AC_REPLACE_FUNCS(strndup)
 AC_REPLACE_FUNCS(strstr)
 AC_REPLACE_FUNCS(tgamma)
 
diff --git a/include/ruby/missing.h b/include/ruby/missing.h
index aea6c9088d9d22..be22b328c77cac 100644
--- a/include/ruby/missing.h
+++ b/include/ruby/missing.h
@@ -210,6 +210,10 @@ RUBY_EXTERN size_t strlcpy(char *, const char*, size_t);
 RUBY_EXTERN size_t strlcat(char *, const char*, size_t);
 #endif
 
+#ifndef HAVE_STRNDUP
+RUBY_EXTERN char *strndup(const char *, size_t);
+#endif
+
 #ifndef HAVE_FFS
 RUBY_EXTERN int ffs(int);
 #endif
diff --git a/missing/strndup.c b/missing/strndup.c
new file mode 100644
index 00000000000000..0f15e42289517f
--- /dev/null
+++ b/missing/strndup.c
@@ -0,0 +1,39 @@
+/*	$OpenBSD: strndup.c,v 1.3 2019/01/25 00:19:25 millert Exp $	*/
+
+/*
+ * Copyright (c) 2010 Todd C. Miller <millert@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+
+char *
+strndup(const char *str, size_t maxlen)
+{
+	char *copy;
+	size_t len;
+
+	len = strnlen(str, maxlen);
+	copy = malloc(len + 1);
+	if (copy != NULL) {
+		(void)memcpy(copy, str, len);
+		copy[len] = '\0';
+	}
+
+	return copy;
+}
diff --git a/win32/Makefile.sub b/win32/Makefile.sub
index 80a43d00dae209..147782ca732b90 100644
--- a/win32/Makefile.sub
+++ b/win32/Makefile.sub
@@ -315,7 +315,7 @@ LIBS = $(LIBS) gmp.lib
 LIBS = $(LIBS) imagehlp.lib shlwapi.lib bcrypt.lib $(EXTLIBS)
 !endif
 !if !defined(MISSING)
-MISSING = crypt.obj ffs.obj langinfo.obj lgamma_r.obj strlcat.obj strlcpy.obj win32/win32.obj win32/file.obj setproctitle.obj
+MISSING = crypt.obj ffs.obj langinfo.obj lgamma_r.obj strlcat.obj strlcpy.obj strndup.obj win32/win32.obj win32/file.obj setproctitle.obj
 !if $(RT_VER) < 120
 MISSING = $(MISSING) acosh.obj cbrt.obj erf.obj nan.obj tgamma.obj
 !endif

From f5f9a02e0a512bfae9ff5696187413341c25a51a Mon Sep 17 00:00:00 2001
From: KJ Tsanaktsidis <kj@kjtsanaktsidis.id.au>
Date: Sat, 17 Feb 2024 19:08:43 +1100
Subject: [PATCH 2/2] Fix heap-buffer-overflow read in set_number_literal

It appears that tok(p) is not NULL terminated here, so we need to use
strndup to copy only the correct number of bytes.

[1/1] TestRubyLiteral#test_integer=================================================================
==484771==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5060001ab1fc at pc 0x5597fe21d8e1 bp 0x7ffdc6fb0a50 sp 0x7ffdc6fb0210
READ of size 61 at 0x5060001ab1fc thread T0
    #0 0x5597fe21d8e0 in strlen.part.0 /home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:391:5
    #1 0x5597fe6b2feb in ruby_strdup /home/kj/ruby/build/../util.c:538:18
    #2 0x5597fe4cb1c5 in set_number_literal /home/kj/ruby/build/parse.y:9694:9
    #3 0x5597fe4cab3d in no_digits /home/kj/ruby/build/parse.y:10409:12
    #4 0x5597fe4b9de9 in parse_numeric /home/kj/ruby/build/parse.y
    #5 0x5597fe4a8adf in parser_yylex /home/kj/ruby/build/parse.y
    #6 0x5597fe45c5cd in yylex /home/kj/ruby/build/parse.y:11916:9
    #7 0x5597fe45c5cd in ruby_yyparse /home/kj/ruby/build/parse.c:11200:16
    #8 0x5597fe49dc00 in yycompile0 /home/kj/ruby/build/parse.y:8121:9
    #9 0x5597fe76db1b in rb_suppress_tracing /home/kj/ruby/build/../vm_trace.c:487:18
    #10 0x5597fe494416 in yycompile /home/kj/ruby/build/parse.y:8177:5
    #11 0x5597fe494416 in parser_compile_string /home/kj/ruby/build/parse.y:8240:12
    #12 0x5597fe494416 in rb_ruby_parser_compile_string_path /home/kj/ruby/build/parse.y:8247:12
    #13 0x5597fe498858 in rb_parser_compile_string_path /home/kj/ruby/build/parse.y:16663:12
    #14 0x5597fe75688c in eval_make_iseq /home/kj/ruby/build/../vm_eval.c:1799:11
    #15 0x5597fe70c8fa in eval_string_with_cref /home/kj/ruby/build/../vm_eval.c:1837:12
    #16 0x5597fe70c396 in rb_f_eval /home/kj/ruby/build/../vm_eval.c:1912:16
    #17 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11
    #18 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h
    #19 0x5597fe6e64fa in vm_exec_core /home/kj/ruby/build/../insns.def:867:11
    #20 0x5597fe6dde00 in vm_exec_loop /home/kj/ruby/build/../vm.c:2578:22
    #21 0x5597fe6dde00 in rb_vm_exec /home/kj/ruby/build/../vm.c:2557:18
    #22 0x5597fe758bc4 in invoke_block /home/kj/ruby/build/../vm.c:1515:12
    #23 0x5597fe758bc4 in invoke_iseq_block_from_c /home/kj/ruby/build/../vm.c:1585:16
    #24 0x5597fe758bc4 in invoke_block_from_c_bh /home/kj/ruby/build/../vm.c:1603:20
    #25 0x5597fe70e4b7 in vm_yield_with_cref /home/kj/ruby/build/../vm.c:1640:12
    #26 0x5597fe709861 in vm_yield /home/kj/ruby/build/../vm.c:1648:12
    #27 0x5597fe709861 in rb_yield_0 /home/kj/ruby/build/../vm_eval.c:1366:12
    #28 0x5597fe709861 in rb_yield /home/kj/ruby/build/../vm_eval.c
    #29 0x5597fec0eff9 in rb_ary_collect /home/kj/ruby/build/../array.c:3601:30
    #30 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11
    #31 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h
    #32 0x5597fe6e2d8f in vm_exec_core /home/kj/ruby/build/../insns.def:847:11
    #33 0x5597fe6dde00 in vm_exec_loop /home/kj/ruby/build/../vm.c:2578:22
    #34 0x5597fe6dde00 in rb_vm_exec /home/kj/ruby/build/../vm.c:2557:18
    #35 0x5597fe3ffe9e in load_iseq_eval /home/kj/ruby/build/../load.c:778:5
    #36 0x5597fe3fb498 in require_internal /home/kj/ruby/build/../load.c:1284:21
    #37 0x5597fe3f9bf3 in rb_require_string_internal /home/kj/ruby/build/../load.c:1383:18
    #38 0x5597fe73f5e2 in vm_call_cfunc_with_frame_ /home/kj/ruby/build/../vm_insnhelper.c:3492:11
    #39 0x5597fe6dca64 in vm_sendish /home/kj/ruby/build/../vm_callinfo.h
    #40 0x5597fe6e64fa in vm_exec_core /home/kj/ruby/build/../insns.def:867:11
    #41 0x5597fe6dda82 in rb_vm_exec /home/kj/ruby/build/../vm.c:2551:22
    #42 0x5597fe30a753 in rb_ec_exec_node /home/kj/ruby/build/../eval.c:283:9
    #43 0x5597fe30a43d in ruby_run_node /home/kj/ruby/build/../eval.c:323:30
    #44 0x5597fe3059b0 in rb_main /home/kj/ruby/build/../main.c:40:12
    #45 0x5597fe3059b0 in main /home/kj/ruby/build/../main.c:59:12
    #46 0x7f1a93141149 in __libc_start_call_main /usr/src/debug/glibc-2.38-16.fc39.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #47 0x7f1a9314120a in __libc_start_main@GLIBC_2.2.5 /usr/src/debug/glibc-2.38-16.fc39.x86_64/csu/../csu/libc-start.c:360:3
    #48 0x5597fe1d3e34 in _start (/home/kj/ruby/build/ruby+0x38ae34)

0x5060001ab1fc is located 0 bytes after 60-byte region [0x5060001ab1c0,0x5060001ab1fc)
allocated by thread T0 here:
    #0 0x5597fe2bde4f in malloc /home/kj/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x5597fe3491a9 in objspace_xmalloc0 /home/kj/ruby/build/../gc.c:12605:5
    #2 0x5597fe4a8adf in parser_yylex /home/kj/ruby/build/parse.y
    #3 0x5597fe45c5cd in yylex /home/kj/ruby/build/parse.y:11916:9
    #4 0x5597fe45c5cd in ruby_yyparse /home/kj/ruby/build/parse.c:11200:16
    #5 0x5597fe49dc00 in yycompile0 /home/kj/ruby/build/parse.y:8121:9

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kj/ruby/build/../util.c:538:18 in ruby_strdup
Shadow bytes around the buggy address:
  0x5060001aaf00: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x5060001aaf80: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
  0x5060001ab000: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x5060001ab080: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x5060001ab100: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x5060001ab180: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00[04]
  0x5060001ab200: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x5060001ab280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5060001ab300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5060001ab380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x5060001ab400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==484771==ABORTING

[Bug #20398]
---
 parse.y | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/parse.y b/parse.y
index 585130c3465ed6..83e2df9055365d 100644
--- a/parse.y
+++ b/parse.y
@@ -9315,16 +9315,16 @@ set_number_literal(struct parser_params *p, enum yytokentype type, int suffix, i
 
     switch (type) {
       case tINTEGER:
-        set_yylval_node(NEW_INTEGER(strdup(tok(p)), base, &_cur_loc));
+        set_yylval_node(NEW_INTEGER(strndup(tok(p), toklen(p)), base, &_cur_loc));
         break;
       case tFLOAT:
-        set_yylval_node(NEW_FLOAT(strdup(tok(p)), &_cur_loc));
+        set_yylval_node(NEW_FLOAT(strndup(tok(p), toklen(p)), &_cur_loc));
         break;
       case tRATIONAL:
-        set_yylval_node(NEW_RATIONAL(strdup(tok(p)), base, seen_point, &_cur_loc));
+        set_yylval_node(NEW_RATIONAL(strndup(tok(p), toklen(p)), base, seen_point, &_cur_loc));
         break;
       case tIMAGINARY:
-        set_yylval_node(NEW_IMAGINARY(strdup(tok(p)), base, seen_point, numeric_type, &_cur_loc));
+        set_yylval_node(NEW_IMAGINARY(strndup(tok(p), toklen(p)), base, seen_point, numeric_type, &_cur_loc));
         (void)numeric_type;     /* for ripper */
         break;
       default: