random.c: check initialize and load

* random.c (random_init, random_load): cannot initialize frozen object
  again, nor with tainted/untrusted object.  [Bug #6540]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36175 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,8 @@
+Fri Jun 22 13:36:50 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* random.c (random_init, random_load): cannot initialize frozen object
+	  again, nor with tainted/untrusted object.  [Bug #6540]
+
 Fri Jun 22 13:32:33 2012  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* error.c (rb_check_copyable): new function, to ensure the target is

random.c

@@ -462,10 +462,12 @@ random_init(int argc, VALUE *argv, VALUE obj)
     rb_random_t *rnd = get_rnd(obj);
 
     if (argc == 0) {
+	rb_check_frozen(obj);
 	vseed = random_seed();
     }
     else {
 	rb_scan_args(argc, argv, "01", &vseed);
+	rb_check_copyable(obj, vseed);
     }
     rnd->seed = rand_init(&rnd->mt, vseed);
     return obj;
@@ -686,6 +688,7 @@ random_load(VALUE obj, VALUE dump)
     VALUE *ary;
     unsigned long x;
 
+    rb_check_copyable(obj, dump);
     Check_Type(dump, T_ARRAY);
     ary = RARRAY_PTR(dump);
     switch (RARRAY_LEN(dump)) {

test/ruby/test_rand.rb

@@ -484,4 +484,25 @@ END
       Random.new.marshal_load(0)
     }
   end
+
+  def test_marshal_load_frozen
+    r = Random.new(0)
+    d = r.marshal_dump
+    r.freeze
+    assert_raise(RuntimeError, '[Bug #6540]') do
+      r.marshal_load(d)
+    end
+  end
+
+  def test_marshal_load_insecure
+    r = Random.new(0)
+    d = r.marshal_dump
+    l = proc do
+      $SAFE = 4
+      r.marshal_load(d)
+    end
+    assert_raise(SecurityError, '[Bug #6540]') do
+      l.call
+    end
+  end
 end