Urabe Shyouhei
6/10/2009 4:24:00 PM
Charles Oliver Nutter wrote:
> On Wed, Jun 10, 2009 at 12:14 AM, Kirk Haines<wyhaines@gmail.com> wrote:
>> We have released Ruby 1.8.6-pl369. This is primarily a security release.
>>
>> A flaw was found with BigDecimal that could be exploited to cause the
>> interpreter to segfault because it mishandled certain large input
>> values. As ActiveRecord uses BigDecimal, this issue could potentially
>> affect many Rails installations, though this is not a Rails specific
>> issue. The result is that an attacker could potentially deliver a
>> denial of service attack to many applications. This vulnerability has
>> been assigned the CVE name CVE-2009-1904.
>
> Hmm...so here's my exploration in JRuby:
>
> With a really large BigDecimal:
>
> * to_f runs forever
> * to_i runs forever
>
> The latter appears to affect 1.9.1 as well...
>
> â?? ruby19 -rbigdecimal -e "p BigDecimal.new('5E6999999').to_i"
> <runs forever>
>
> I have not tested the patched 1.8.6/1.8.7 versions to see if to_i has
> this issue.
>
> I'll have fixes for both JRuby issues on master and jruby-1_3 branches shortly.
Well to_f can shortcut such cases to generate Inf, but to_i should generate
large Bignums, so there may be difficulties to solve to_i slowness for those cases.