Ensure safe handling of IO::Buffer#hexdump width. (ruby#16593)

ioquatix · web-flow · commit f9175a9e5f55 · 2026-03-29T18:57:51.000+13:00
diff --git a/io_buffer.c b/io_buffer.c
@@ -39,6 +39,7 @@ size_t RUBY_IO_BUFFER_DEFAULT_SIZE;
 
 enum {
     RB_IO_BUFFER_HEXDUMP_DEFAULT_WIDTH = 16,
+    RB_IO_BUFFER_HEXDUMP_MAXIMUM_WIDTH = 1024,
 
     RB_IO_BUFFER_INSPECT_HEXDUMP_MAXIMUM_SIZE = 256,
     RB_IO_BUFFER_INSPECT_HEXDUMP_WIDTH = 16,
@@ -384,7 +385,7 @@ io_buffer_extract_size(VALUE argument)
 }
 
 // Extract a width argument, which must be a non-negative integer, and must be
-// at least the given minimum.
+// at least the given minimum and at most RB_IO_BUFFER_HEXDUMP_MAXIMUM_WIDTH.
 static inline size_t
 io_buffer_extract_width(VALUE argument, size_t minimum)
 {
@@ -398,6 +399,10 @@ io_buffer_extract_width(VALUE argument, size_t minimum)
         rb_raise(rb_eArgError, "Width must be at least %" PRIuSIZE "!", minimum);
     }
 
+    if (width > RB_IO_BUFFER_HEXDUMP_MAXIMUM_WIDTH) {
+        rb_raise(rb_eArgError, "Width must be at most %" PRIuSIZE "!", (size_t)RB_IO_BUFFER_HEXDUMP_MAXIMUM_WIDTH);
+    }
+
     return width;
 }
 
diff --git a/test/ruby/test_io_buffer.rb b/test/ruby/test_io_buffer.rb
@@ -960,4 +960,48 @@ def test_locked_throw
     refute_predicate buf, :locked?
     buf.locked { }
   end
+
+  def test_hexdump_default_width
+    buffer = IO::Buffer.for("Hello World")
+    hexdump = buffer.hexdump
+    assert_include hexdump, "Hello World"
+    assert_include hexdump, "0x00000000"
+  end
+
+  def test_hexdump_custom_width
+    buffer = IO::Buffer.for("A" * 64)
+    hexdump = buffer.hexdump(0, 64, 32)
+    assert_include hexdump, "0x00000000"
+    assert_include hexdump, "0x00000020"
+  end
+
+  def test_hexdump_maximum_width
+    buffer = IO::Buffer.for("A" * 2048)
+    # Maximum width is 1024
+    hexdump = buffer.hexdump(0, 1024, 1024)
+    assert_include hexdump, "0x00000000"
+  end
+
+  def test_hexdump_width_too_large
+    buffer = IO::Buffer.for("A")
+    # Width exceeding maximum (1024) should raise ArgumentError
+    assert_raise(ArgumentError) do
+      buffer.hexdump(0, 1, 1025)
+    end
+  end
+
+  def test_hexdump_width_negative
+    buffer = IO::Buffer.for("A")
+    assert_raise(ArgumentError) do
+      buffer.hexdump(0, 1, -1)
+    end
+  end
+
+  def test_hexdump_width_zero
+    buffer = IO::Buffer.for("A")
+    # Width must be at least 1
+    assert_raise(ArgumentError) do
+      buffer.hexdump(0, 1, 0)
+    end
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,7 @@ size_t RUBY_IO_BUFFER_DEFAULT_SIZE;`
`39`	`39`
`40`	`40`	`enum {`
`41`	`41`	`RB_IO_BUFFER_HEXDUMP_DEFAULT_WIDTH = 16,`
	`42`	`+ RB_IO_BUFFER_HEXDUMP_MAXIMUM_WIDTH = 1024,`
`42`	`43`
`43`	`44`	`RB_IO_BUFFER_INSPECT_HEXDUMP_MAXIMUM_SIZE = 256,`
`44`	`45`	`RB_IO_BUFFER_INSPECT_HEXDUMP_WIDTH = 16,`
`@@ -384,7 +385,7 @@ io_buffer_extract_size(VALUE argument)`
`384`	`385`	`}`
`385`	`386`
`386`	`387`	`// Extract a width argument, which must be a non-negative integer, and must be`
`387`		`-// at least the given minimum.`
	`388`	`+// at least the given minimum and at most RB_IO_BUFFER_HEXDUMP_MAXIMUM_WIDTH.`
`388`	`389`	`static inline size_t`
`389`	`390`	`io_buffer_extract_width(VALUE argument, size_t minimum)`
`390`	`391`	`{`
`@@ -398,6 +399,10 @@ io_buffer_extract_width(VALUE argument, size_t minimum)`
`398`	`399`	`rb_raise(rb_eArgError, "Width must be at least %" PRIuSIZE "!", minimum);`
`399`	`400`	`}`
`400`	`401`
	`402`	`+ if (width > RB_IO_BUFFER_HEXDUMP_MAXIMUM_WIDTH) {`
	`403`	`+ rb_raise(rb_eArgError, "Width must be at most %" PRIuSIZE "!", (size_t)RB_IO_BUFFER_HEXDUMP_MAXIMUM_WIDTH);`
	`404`	`+ }`
	`405`	`+`
`401`	`406`	`return width;`
`402`	`407`	`}`
`403`	`408`