[Security] Bump ffi from 1.9.23 to 1.13.1

[dependabot-preview]

Bumps ffi from 1.9.23 to 1.13.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

ruby-ffi DDL loading issue on Windows OS ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.

Patched versions: >= 1.9.24 Unaffected versions: none

Changelog

Sourced from ffi's changelog.

1.13.1 / 2020-06-09

Changed:

• Revert use of ucrtbase.dll as default C library on Windows-MINGW. ucrtbase.dll is still used on MSWIN target. #790
• Test for ffi_prep_closure_loc() to make sure we can use this function. This fixes incorrect use of system libffi on MacOS Mojave (10.14). #787
• Update types.conf on x86_64-dragonflybsd

1.13.0 / 2020-06-01

Added:

• Add TruffleRuby support. Almost all specs are running on TruffleRuby and succeed. #768
• Add ruby source files to the java gem. This allows to ship the Ruby library code per platform java gem and add it as a default gem to JRuby. #763
• Add FFI::Platform::LONG_DOUBLE_SIZE
• Add bounds checks for writing to an inline char[] . #756
• Add long double as callback return value. #771
• Update type definitions and add types from stdint.h and stddef.h on i386-windows, x86_64-windows, x86_64-darwin, x86_64-linux, arm-linux, powerpc-linux. #749
• Add new type definitions for powerpc-openbsd and sparcv9-openbsd. #775, #778

Changed:

• Raise required ruby version to >= 2.3.
• Lots of cleanups and improvements in library, specs and benchmarks.
• Fix a lot of compiler warnings at the C-extension
• Fix several install issues on MacOS:
  • Look for libffi in SDK paths, since recent versions of macOS removed it from /usr/include . #757
  • Fix error ld: library not found for -lgcc_s.10.4
  • Don't built for i386 architecture as it is deprecated
• Several fixes for MSVC build on Windows. #779
• Use ucrtbase.dll as default C library on Windows instead of old msvcrt.dll. #779
• Update builtin libffi to fix a Powerpc issue with parameters of type long
• Allow unmodified sourcing of (the ruby code of) this gem in JRuby and TruffleRuby as a default gem. #747
• Improve check to detect if a module has a #find_type method suitable for FFI. This fixes compatibility with stdlib mkmf . #776

Removed:

• Reject callback with :string return type at definition, because it didn't work so far and is not save to use. #751, #782

1.12.2 / 2020-02-01

• Fix possible segfault at FFI::Struct#[] and []= after GC.compact . #742

1.12.1 / 2020-01-14

Commits

• 4b053c8 Update CHANGELOG for 1.13.1
• a03ffb6 Bump VERSION to 1.13.1
• 18370af Merge pull request #790 from larskanis/msvcrt-on-mingw#
• f2d35a9 Add a spec regarding issue #788
• 90f4fca Revert usage of libc's time() on MINGW
• cc32fd0 Remove unused strcat() mapping in specs
• f259139 Revert to msvcrt.dll as LIBC on MINGW
• 81dad3c Merge pull request #787 from larskanis/ffi_prep_closure_loc
• 2c3979e Merge pull request #789 from ahorek/dragon
• c9b01d7 Update types.conf on x86_64-dragonflybsd
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)