Project

General

Profile

Actions

Bug #1274

closed

Heap Corruption in float#to_s

Added by cfis (Charlie Savage) almost 16 years ago. Updated over 13 years ago.

Status:
Closed
Assignee:
-
Target version:
ruby -v:
ruby 1.9.2dev (2009-03-12) [i386-mswin32_90]
Backport:
[ruby-core:22852]

Description

=begin
Ruby compiled with -RCT1, VC 2008

Ruby code: -0.0.to_s

Result: Heap corruption.

Problem:

  1. util.c:3222
    return nrv_alloc("0", rve, 1);

  2. util.c:3069

static char *
nrv_alloc(const char *s, char **rve, int n)
{
char *rv, *t;

 t = rv = rv_alloc(n);
 while ((*t = *s++) != 0) t++;
 if (rve)
     *rve = t;
 return rv;

}

  1. The loop writes the first byte of rv buffer to '30'. It then writes the second byte to '0' causing a buffer overrun.

Fix is simple, change line 3073 to:

t = rv = rv_alloc(n+1);
=end

Actions

Also available in: Atom PDF

Like0
Like0