Project

General

Profile

Actions
Copy link

Bug #13289

closed

Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1

Bug #13289: Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1

Added by lung (Luc Nguyen) over 8 years ago. Updated over 8 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
2.4.0p0 (2016-12-24 revision 57164) [x86_64-linux]
Backport:
2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: DONE
[ruby-core:<unknown>]

Description

Integer overflow occurs in string.c(line 2319 & 5257).
beg + len & clen/n can be controlled by user.
Eg:

 a="B"*0x400
 a[0x40,0x7fffffffffffffff] => set length of sub array to 0x7fffffffffffffff

This lead to access out of bound memory if:

#define SHARABLE_MIDDLE_SUBSTRING 1

PoC attached.

Files

substr.rb (104 Bytes) substr.rb lung (Luc Nguyen), 03/07/2017 06:02 AM

Updated by nobu (Nobuyoshi Nakada) over 8 years ago Actions
Copy link
 #1

  • Status changed from Open to Closed

Applied in changeset r57799.

string.c: fix integer overflow

  • string.c (str_byte_substr): fix another integer overflow which
    can happen only when SHARABLE_MIDDLE_SUBSTRING is enabled.
    [ruby-core:79951] [Bug #13289]

Updated by naruse (Yui NARUSE) over 8 years ago Actions
Copy link
 #2 [ruby-core:80067]

  • Backport changed from 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN to 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: DONE

ruby_2_4 r57931 merged revision(s) 57797,57799,57800.

Actions
Copy link

Also available in: PDF Atom