Avoid buffer overflow in helper_sel - Make sure we do not write more than allocated in the static buffer by checking the size of the selector. Return (SEL)0 (aka "no helper selector found") if the selector len is too big. - Fixes 7682623
--- MacRuby/trunk/dispatcher.cpp 2010-03-16 20:46:19 UTC (rev 3772)
+++ MacRuby/trunk/dispatcher.cpp 2010-03-16 22:04:35 UTC (rev 3773)
@@ -194,7 +194,11 @@
SEL new_sel = 0;
char buf[100];
- assert(len < sizeof(buf));
+ // Avoid buffer overflow
+ // len + "sel" + ':' + '\0'
+ if ((len + 5) > sizeof(buf)) {
+ return (SEL)0;
+ }
if (len >= 3 && isalpha(p[len - 3]) && p[len - 2] == '='
&& p[len - 1] == ':') {