Actions
Bug #1274
closedHeap Corruption in float#to_s
Description
=begin
Ruby compiled with -RCT1, VC 2008
Ruby code: -0.0.to_s
Result: Heap corruption.
Problem:
-
util.c:3222
return nrv_alloc("0", rve, 1); -
util.c:3069
static char *
nrv_alloc(const char *s, char **rve, int n)
{
char *rv, *t;
t = rv = rv_alloc(n);
while ((*t = *s++) != 0) t++;
if (rve)
*rve = t;
return rv;
}
- The loop writes the first byte of rv buffer to '30'. It then writes the second byte to '0' causing a buffer overrun.
Fix is simple, change line 3073 to:
t = rv = rv_alloc(n+1);
=end
Updated by nobu (Nobuyoshi Nakada) almost 16 years ago
- Status changed from Open to Closed
- % Done changed from 0 to 100
=begin
Applied in changeset r22919.
=end
Actions
Like0
Like0