- Fix possible memory corruption when using String;

- fix integer overflow in Array;
- fix overflow in String;
- bump PORTREVISION.

Obtained from:	ruby VCS

Mk/bsd.ruby.mk

@@ -167,7 +167,7 @@ RUBY?=			${LOCALBASE}/bin/${RUBY_NAME}
 # Ruby 1.8
 #
 RUBY_RELVERSION=	1.8.6
-RUBY_PORTREVISION=	2
+RUBY_PORTREVISION=	3
 RUBY_PORTEPOCH=		1
 RUBY_PATCHLEVEL=	111
 

lang/ruby18/files/patch-array.c

@@ -0,0 +1,68 @@
+--- array.c.orig	2008-06-21 12:28:01.000000000 +0400
++++ array.c	2008-06-21 12:37:24.000000000 +0400
+@@ -20,6 +20,7 @@
+ static ID id_cmp;
+ 
+ #define ARY_DEFAULT_SIZE 16
++#define	ARY_MAX_SIZE (LONG_MAX / sizeof(VALUE))
+ 
+ void
+ rb_mem_clear(mem, size)
+@@ -120,7 +121,7 @@
+     if (len < 0) {
+ 	rb_raise(rb_eArgError, "negative array size (or size too big)");
+     }
+-    if (len > 0 && len * sizeof(VALUE) <= len) {
++    if (len > ARY_MAX_SIZE) {
+ 	rb_raise(rb_eArgError, "array size too big");
+     }
+     if (len == 0) len++;
+@@ -293,7 +294,7 @@
+     if (len < 0) {
+ 	rb_raise(rb_eArgError, "negative array size");
+     }
+-    if (len > 0 && len * (long)sizeof(VALUE) <= len) {
++    if (len > ARY_MAX_SIZE) {
+ 	rb_raise(rb_eArgError, "array size too big");
+     }
+     if (len > RARRAY(ary)->aux.capa) {
+@@ -359,6 +360,10 @@
+ 	}
+     }
+ 
++    if (idx >= ARY_MAX_SIZE) {
++        rb_raise(rb_eIndexError, "index %ld too big", idx);
++    }
++
+     rb_ary_modify(ary);
+     if (idx >= RARRAY(ary)->aux.capa) {
+ 	long new_capa = RARRAY(ary)->aux.capa / 2;
+@@ -366,6 +371,9 @@
+ 	if (new_capa < ARY_DEFAULT_SIZE) {
+ 	    new_capa = ARY_DEFAULT_SIZE;
+ 	}
++	if (new_capa >= ARY_MAX_SIZE - idx) {
++	    new_capa = (ARY_MAX_SIZE - idx) / 2;
++	}
+ 	new_capa += idx;
+ 	if (new_capa * (long)sizeof(VALUE) <= new_capa) {
+ 	    rb_raise(rb_eArgError, "index too big");
+@@ -975,6 +983,9 @@
+     rb_ary_modify(ary);
+ 
+     if (beg >= RARRAY(ary)->len) {
++	if (beg > ARY_MAX_SIZE - rlen) {
++	    rb_raise(rb_eIndexError, "index %ld too big", beg);
++	}
+ 	len = beg + rlen;
+ 	if (len >= RARRAY(ary)->aux.capa) {
+ 	    REALLOC_N(RARRAY(ary)->ptr, VALUE, len);
+@@ -2378,7 +2389,7 @@
+     if (len < 0) {
+ 	rb_raise(rb_eArgError, "negative argument");
+     }
+-    if (LONG_MAX/len < RARRAY(ary)->len) {
++    if (ARY_MAX_SIZE/len < RARRAY(ary)->len) {
+ 	rb_raise(rb_eArgError, "argument too big");
+     }
+     len *= RARRAY(ary)->len;

lang/ruby18/files/patch-intern.h

@@ -0,0 +1,10 @@
+--- intern.h.orig	2008-06-21 12:49:23.000000000 +0400
++++ intern.h	2008-06-21 12:49:29.000000000 +0400
+@@ -400,6 +400,7 @@
+ void ruby_default_signal _((int));
+ /* sprintf.c */
+ VALUE rb_f_sprintf _((int, VALUE*));
++VALUE rb_str_format _((int, VALUE*, VALUE));
+ /* string.c */
+ VALUE rb_str_new _((const char*, long));
+ VALUE rb_str_new2 _((const char*));

lang/ruby18/files/patch-sprintf.c

@@ -0,0 +1,28 @@
+--- sprintf.c.orig	2008-06-21 12:50:30.000000000 +0400
++++ sprintf.c	2008-06-21 12:50:46.000000000 +0400
+@@ -247,7 +247,15 @@
+     int argc;
+     VALUE *argv;
+ {
++    return rb_str_format(argc - 1, argv + 1, GETNTHARG(0));
++}
++
++VALUE
++rb_str_format(argc, argv, fmt)
++    int argc;
++    VALUE *argv;
+     VALUE fmt;
++{
+     const char *p, *end;
+     char *buf;
+     int blen, bsiz;
+@@ -276,7 +284,8 @@
+ 	rb_raise(rb_eArgError, "flag after precision"); \
+     }
+ 
+-    fmt = GETNTHARG(0);
++    ++argc;
++    --argv;
+     if (OBJ_TAINTED(fmt)) tainted = 1;
+     StringValue(fmt);
+     fmt = rb_str_new4(fmt);

lang/ruby18/files/patch-string.c

@@ -0,0 +1,137 @@
+--- string.c.orig	2008-06-21 12:38:53.000000000 +0400
++++ string.c	2008-06-21 12:49:20.000000000 +0400
+@@ -452,22 +452,16 @@
+  */
+ 
+ static VALUE
+-rb_str_format(str, arg)
++rb_str_format_m(str, arg)
+     VALUE str, arg;
+ {
+-    VALUE *argv;
++    VALUE tmp = rb_check_array_type(arg);
+ 
+-    if (TYPE(arg) == T_ARRAY) {
+-	argv = ALLOCA_N(VALUE, RARRAY(arg)->len + 1);
+-	argv[0] = str;
+-	MEMCPY(argv+1, RARRAY(arg)->ptr, VALUE, RARRAY(arg)->len);
+-	return rb_f_sprintf(RARRAY(arg)->len+1, argv);
++    if (!NIL_P(tmp)) {
++	return rb_str_format(RARRAY_LEN(tmp), RARRAY_PTR(tmp), str);
+     }
+ 
+-    argv = ALLOCA_N(VALUE, 2);
+-    argv[0] = str;
+-    argv[1] = arg;
+-    return rb_f_sprintf(2, argv);
++    return rb_str_format(1, &arg, str);
+ }
+ 
+ static int
+@@ -694,18 +688,14 @@
+     return str;
+ }
+ 
+-VALUE
+-rb_str_buf_cat(str, ptr, len)
++static VALUE
++str_buf_cat(str, ptr, len)
+     VALUE str;
+     const char *ptr;
+     long len;
+ {
+     long capa, total;
+ 
+-    if (len == 0) return str;
+-    if (len < 0) {
+-	rb_raise(rb_eArgError, "negative string size (or size too big)");
+-    }
+     rb_str_modify(str);
+     if (FL_TEST(str, STR_ASSOC)) {
+ 	FL_UNSET(str, STR_ASSOC);
+@@ -714,9 +704,16 @@
+     else {
+ 	capa = RSTRING(str)->aux.capa;
+     }
++    if (RSTRING(str)->len >= LONG_MAX - len) {
++	rb_raise(rb_eArgError, "string sizes too big");
++    }
+     total = RSTRING(str)->len+len;
+     if (capa <= total) {
+ 	while (total > capa) {
++	    if (capa + 1 >= LONG_MAX / 2) {
++		capa = total;
++		break;
++	    }
+ 	    capa = (capa + 1) * 2;
+ 	}
+ 	RESIZE_CAPA(str, capa);
+@@ -729,6 +726,19 @@
+ }
+ 
+ VALUE
++rb_str_buf_cat(str, ptr, len)
++    VALUE str;
++    const char *ptr;
++    long len;
++{
++    if (len == 0) return str;
++    if (len < 0) {
++	rb_raise(rb_eArgError, "negative string size (or size too big)");
++    }
++    return str_buf_cat(str, ptr, len);
++}
++
++VALUE
+ rb_str_buf_cat2(str, ptr)
+     VALUE str;
+     const char *ptr;
+@@ -747,7 +757,7 @@
+     }
+     if (FL_TEST(str, STR_ASSOC)) {
+ 	rb_str_modify(str);
+-	REALLOC_N(RSTRING(str)->ptr, char, RSTRING(str)->len+len);
++	REALLOC_N(RSTRING(str)->ptr, char, RSTRING(str)->len+len+1);
+ 	memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len);
+ 	RSTRING(str)->len += len;
+ 	RSTRING(str)->ptr[RSTRING(str)->len] = '\0'; /* sentinel */
+@@ -769,29 +779,8 @@
+ rb_str_buf_append(str, str2)
+     VALUE str, str2;
+ {
+-    long capa, len;
+-
+-    rb_str_modify(str);
+-    if (FL_TEST(str, STR_ASSOC)) {
+-	FL_UNSET(str, STR_ASSOC);
+-	capa = RSTRING(str)->aux.capa = RSTRING(str)->len;
+-    }
+-    else {
+-	capa = RSTRING(str)->aux.capa;
+-    }
+-    len = RSTRING(str)->len+RSTRING(str2)->len;
+-    if (capa <= len) {
+-	while (len > capa) {
+-	    capa = (capa + 1) * 2;
+-	}
+-	RESIZE_CAPA(str, capa);
+-    }
+-    memcpy(RSTRING(str)->ptr + RSTRING(str)->len,
+-	   RSTRING(str2)->ptr, RSTRING(str2)->len);
+-    RSTRING(str)->len += RSTRING(str2)->len;
+-    RSTRING(str)->ptr[RSTRING(str)->len] = '\0'; /* sentinel */
++    str_buf_cat(str, RSTRING(str2)->ptr, RSTRING(str2)->len);
+     OBJ_INFECT(str, str2);
+-
+     return str;
+ }
+ 
+@@ -4657,7 +4646,7 @@
+     rb_define_method(rb_cString, "casecmp", rb_str_casecmp, 1);
+     rb_define_method(rb_cString, "+", rb_str_plus, 1);
+     rb_define_method(rb_cString, "*", rb_str_times, 1);
+-    rb_define_method(rb_cString, "%", rb_str_format, 1);
++    rb_define_method(rb_cString, "%", rb_str_format_m, 1);
+     rb_define_method(rb_cString, "[]", rb_str_aref_m, -1);
+     rb_define_method(rb_cString, "[]=", rb_str_aset_m, -1);
+     rb_define_method(rb_cString, "insert", rb_str_insert, 2);