Project

General

Profile

Actions
Copy link

Bug #11192

closed

capture group special variable with large index invokes UB

Bug #11192: capture group special variable with large index invokes UB

Added by cremno (cremno phobia) over 10 years ago. Updated over 10 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
Backport:
2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
[ruby-core:69393]

Description

$ ruby --dump=parsetree -e "$9999999999"
###########################################################
## Do NOT use this node dump for any purpose other than  ##
## debug and research.  Compatibility is not guaranteed. ##
###########################################################

# @ NODE_SCOPE (line: 1)
# +- nd_tbl: (empty)
# +- nd_args:
# |   (null node)
# +- nd_body:
#     @ NODE_NTH_REF (line: 1)
#     +- nd_nth: $1410065407

The culprit is this line in parse.y which contains a call to atoi().

A simple, non-intrusive fix could be calling a function with well-defined behavior when the resulting value can't be represented instead (such as strtoul()) and of course also adding a range check. But perhaps a syntax error is undesired here.

Related issues 1 (0 open1 closed)

Has duplicate Ruby - Bug #11557: Capturing LimitsClosedActions

Updated by nobu (Nobuyoshi Nakada) over 10 years ago Actions
Copy link
 #1

  • Status changed from Open to Closed

Applied in changeset r50671.

parse.y: check NTH_REF range

  • compile.c (iseq_compile_each): out of range NTH_REF is always
    nil.
  • parse.y (parse_numvar): check overflow of NTH_REF and range.
    [ruby-core:69393] [Bug #11192]
  • util.c (ruby_scan_digits): make public and add length parameter.

Updated by usa (Usaku NAKAMURA) over 10 years ago Actions
Copy link
 #2 [ruby-core:69803]

  • Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: REQUIRED, 2.2: REQUIRED

Updated by usa (Usaku NAKAMURA) over 10 years ago Actions
Copy link
 #3 [ruby-core:69856]

  • Backport changed from 2.0.0: WONTFIX, 2.1: REQUIRED, 2.2: REQUIRED to 2.0.0: WONTFIX, 2.1: DONE, 2.2: REQUIRED

ruby_2_1 r51122 merged revision(s) 50671.

Updated by nagachika (Tomoyuki Chikanaga) over 10 years ago Actions
Copy link
 #4 [ruby-core:69861]

  • Backport changed from 2.0.0: WONTFIX, 2.1: DONE, 2.2: REQUIRED to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE

Backported into ruby_2_2 branch at r51132.

Updated by nagachika (Tomoyuki Chikanaga) over 10 years ago Actions
Copy link
 #5 [ruby-core:69862]

  • Backport changed from 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE to 2.0.0: WONTFIX, 2.1: DONE, 2.2: REQUIRED

sorry, previous commet is a mistake.

Updated by nagachika (Tomoyuki Chikanaga) over 10 years ago Actions
Copy link
 #6 [ruby-core:69865]

  • Backport changed from 2.0.0: WONTFIX, 2.1: DONE, 2.2: REQUIRED to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE

Backported into ruby_2_2 at r51134.

Updated by nobu (Nobuyoshi Nakada) about 10 years ago Actions
Copy link
 #7

  • Has duplicate Bug #11557: Capturing Limits added
Actions
Copy link

Also available in: PDF Atom