Bug #13289: Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1 - Ruby - Ruby Issue Tracking System

Actions

Copy link

Bug #13289

closed

Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1

Bug #13289: Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1

Added by lung (Luc Nguyen) over 8 years ago. Updated over 8 years ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

2.4.0p0 (2016-12-24 revision 57164) [x86_64-linux]

Backport:

2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: DONE

[ruby-core:<unknown>]

Description

Integer overflow occurs in string.c(line 2319 & 5257).
beg + len & clen/n can be controlled by user.
Eg:

 a="B"*0x400
 a[0x40,0x7fffffffffffffff] => set length of sub array to 0x7fffffffffffffff

This lead to access out of bound memory if:

#define SHARABLE_MIDDLE_SUBSTRING 1

PoC attached.

Files

substr.rb (104 Bytes) substr.rb

lung (Luc Nguyen), 03/07/2017 06:02 AM

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Ruby

Tags

Custom queries

Bug #13289

Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1

Updated by nobu (Nobuyoshi Nakada) over 8 years ago Actions
Copy link
#1

Updated by naruse (Yui NARUSE) over 8 years ago Actions
Copy link
#2 [ruby-core:80067]

Project

General

Profile

Ruby

Tags

Custom queries

Bug #13289

Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1

Updated by nobu (Nobuyoshi Nakada) over 8 years ago ActionsCopy link #1

Updated by naruse (Yui NARUSE) over 8 years ago ActionsCopy link #2 [ruby-core:80067]

Updated by nobu (Nobuyoshi Nakada) over 8 years ago Actions
Copy link
#1

Updated by naruse (Yui NARUSE) over 8 years ago Actions
Copy link
#2 [ruby-core:80067]