Issue #14359 has been reported by shyouhei (Shyouhei Urabe).

----------------------------------------
Bug #14359: IO#ungetbyte integer overflow
https://bugs.ruby-lang.org/issues/14359

* Author: shyouhei (Shyouhei Urabe)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
In Ruby's IO, a "byte" means an integer of range 0...256.
However IO#ungetbyte is the only exception.
It does not check the argument to accept liberal integers.

```ruby
File.open("/dev/zero") {|f| f.ungetbyte(-1); p f.read(2) } # => "\xFF\x00"
File.open("/dev/zero") {|f| f.ungetbyte(257); p f.read(2) } # => "\x01\x00"
```

I see no vulnerability so just filing this as a normal bug.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>