Bug #1274: Heap Corruption in float#to_s - Ruby - Ruby Issue Tracking System

Actions

Copy link

Bug #1274

closed

Heap Corruption in float#to_s

Bug #1274: Heap Corruption in float#to_s

Added by cfis (Charlie Savage) over 16 years ago. Updated over 14 years ago.

Status:

Closed

Assignee:

Target version:

1.9.1

ruby -v:

ruby 1.9.2dev (2009-03-12) [i386-mswin32_90]

Backport:

[ruby-core:22852]

Description

=begin
Ruby compiled with -RCT1, VC 2008

Ruby code: -0.0.to_s

Result: Heap corruption.

Problem:

util.c:3222
return nrv_alloc("0", rve, 1);
util.c:3069

static char *
nrv_alloc(const char *s, char **rve, int n)
{
char *rv, *t;

 t = rv = rv_alloc(n);
 while ((*t = *s++) != 0) t++;
 if (rve)
     *rve = t;
 return rv;

}

The loop writes the first byte of rv buffer to '30'. It then writes the second byte to '0' causing a buffer overrun.

Fix is simple, change line 3073 to:

t = rv = rv_alloc(n+1);
=end

History
Notes
Property changes

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Ruby

Tags

Custom queries

Bug #1274

Heap Corruption in float#to_s

Updated by nobu (Nobuyoshi Nakada) over 16 years ago Actions
Copy link
#1

Project

General

Profile

Ruby

Tags

Custom queries

Bug #1274

Heap Corruption in float#to_s

Updated by nobu (Nobuyoshi Nakada) over 16 years ago ActionsCopy link #1

Updated by nobu (Nobuyoshi Nakada) over 16 years ago Actions
Copy link
#1