Project

General

Profile

Actions

Bug #16376

closed

Stack-buffer-overflow in renumber_by_map in regcomp.c

Added by manhndd (Mạnh Nguyễn Đức) over 4 years ago. Updated almost 2 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.7.0dev (2019-11-11T11:19:29Z master 8b27c23b5d) [x86_64-linux]
[ruby-core:95973]
Tags:

Description

I found this bug in ruby regex engine. I also reported this issue to Onigmo(https://github.com/k-takata/Onigmo/issues/144).
I reported this to , but there has been no reply for more than 2 weeks. So I decide to report it here.

Environment

root@manh-ubuntu16:~/fuzz/fuzz_ruby# ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]
root@manh-ubuntu16:~/fuzz/fuzz_ruby# uname -a
Linux manh-ubuntu16 4.4.0-166-generic #195-Ubuntu SMP Tue Oct 1 09:35:25 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@manh-ubuntu16:~/fuzz/fuzz_ruby# lsb_release -r
Release: 16.04

Compilation

STRIP=echo optflags=-O0 debugflags="-ggdb3 -fsanitize=address" CC=gcc ./configure
ASAN_OPTIONS=detect_leaks=0 make -j4
ASAN_OPTIONS=detect_leaks=0 make install -j4

Reproduce

root@manh-ubuntu16:~/fuzz/fuzz_ruby# ASAN_OPTIONS=detect_leaks=0 ./ruby-gcc-asan/ruby -v
ruby 2.7.0dev (2019-11-11T11:19:29Z master 8b27c23b5d) [x86_64-linux]
root@manh-ubuntu16:~/fuzz/fuzz_ruby# cat test.rb
"".match /(())(?<X>)((?(90000)))/
root@manh-ubuntu16:~/fuzz/fuzz_ruby# ASAN_OPTIONS=detect_leaks=0 ./ruby-gcc-asan/ruby test.rb
ASAN:SIGSEGV
=================================================================
==14276==ERROR: AddressSanitizer: SEGV on unknown address 0x7fffb8fb9d90 (pc 0x5612578c2903 bp 0x7fffb8f61f10 sp 0x7fffb8f61ef0 T0)
    #0 0x5612578c2902 in renumber_by_map /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:1963
    #1 0x5612578c279a in renumber_by_map /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:1953
    #2 0x5612578c2e57 in disable_noname_group_capture /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:2036
    #3 0x5612578d7ade in onig_compile_ruby /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:5773
    #4 0x5612578a704b in onig_new_with_source /root/fuzz/fuzz_ruby/ruby-191111/re.c:850
    #5 0x5612578a71fe in make_regexp /root/fuzz/fuzz_ruby/ruby-191111/re.c:874
    #6 0x5612578b27d0 in rb_reg_initialize /root/fuzz/fuzz_ruby/ruby-191111/re.c:2858
    #7 0x5612578b2b28 in rb_reg_initialize_str /root/fuzz/fuzz_ruby/ruby-191111/re.c:2892
    #8 0x5612578b366b in rb_reg_compile /root/fuzz/fuzz_ruby/ruby-191111/re.c:2982
    #9 0x56125785d568 in rb_parser_reg_compile /root/fuzz/fuzz_ruby/ruby-191111/parse.y:12197
    #10 0x56125785d4c8 in parser_reg_compile /root/fuzz/fuzz_ruby/ruby-191111/parse.y:12191
    #11 0x56125785d59c in reg_compile /root/fuzz/fuzz_ruby/ruby-191111/parse.y:12207
    #12 0x5612578514a9 in new_regexp /root/fuzz/fuzz_ruby/ruby-191111/parse.y:10113
    #13 0x56125782abfc in ruby_yyparse /root/fuzz/fuzz_ruby/ruby-191111/parse.y:4419
    #14 0x5612578338ab in yycompile0 /root/fuzz/fuzz_ruby/ruby-191111/parse.y:5942
    #15 0x561257a8a470 in rb_suppress_tracing /root/fuzz/fuzz_ruby/ruby-191111/vm_trace.c:427
    #16 0x56125783409c in yycompile /root/fuzz/fuzz_ruby/ruby-191111/parse.y:5991
    #17 0x561257834a9a in rb_parser_compile_file_path /root/fuzz/fuzz_ruby/ruby-191111/parse.y:6130
    #18 0x56125792fb0b in load_file_internal /root/fuzz/fuzz_ruby/ruby-191111/ruby.c:2034
    #19 0x5612576acd68 in rb_ensure /root/fuzz/fuzz_ruby/ruby-191111/eval.c:1129
    #20 0x5612579300e2 in load_file /root/fuzz/fuzz_ruby/ruby-191111/ruby.c:2153
    #21 0x56125792e351 in process_options /root/fuzz/fuzz_ruby/ruby-191111/ruby.c:1793
    #22 0x561257930f03 in ruby_process_options /root/fuzz/fuzz_ruby/ruby-191111/ruby.c:2384
    #23 0x5612576a8365 in ruby_options /root/fuzz/fuzz_ruby/ruby-191111/eval.c:123
    #24 0x5612576a26ef in main main.c:50
    #25 0x7fd3cdcd682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #26 0x5612576a24e8 in _start (/root/fuzz/fuzz_ruby/ruby-gcc-asan/ruby+0xea4e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:1963 renumber_by_map
==14276==ABORTING
root@manh-ubuntu16:~/fuzz/fuzz_ruby# ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]
root@manh-ubuntu16:~/fuzz/fuzz_ruby# ruby test.rb
test.rb: [BUG] Segmentation fault at 0x007fffe5248000
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]

-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0002 E:001f20 (none) [FINISH]


-- Machine register context ------------------------------------------------
 RIP: 0x00007fa814d41214 RBP: 0x00007fffe51f01c0 RSP: 0x00007fffe51f0180
 RAX: 0x0000000000015f90 RBX: 0x0000000001c75eb0 RCX: 0x0000000000000004
 RDX: 0x00007fa814e086a0 RDI: 0x0000000001c75eb0 RSI: 0x00007fffe51f01c0
  R8: 0x0000000000000000  R9: 0x00007fffe51f0290 R10: 0x0000000001e3fbe0
 R11: 0x0000000001e3e1a6 R12: 0x00007fffe51f01c0 R13: 0x00007fffe51f0290
 R14: 0x00007fffe51f0248 R15: 0x00007fffe51f0248 EFL: 0x0000000000010246

-- C level backtrace information -------------------------------------------
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814dd2fd5]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814dd320c]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814cac8c4]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d5ee8e]
/lib/x86_64-linux-gnu/libc.so.6 [0x7fa8148b34b0]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d41214]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d41145]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d4230b]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(onig_compile+0x1a7) [0x7fa814d482c7]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d3ca65]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d3ccbc]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d3f25e]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814c6b676]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d1cf02]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d1e5f0]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814dd6d8c]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(rb_parser_compile_file_path+0x7b) [0x7fa814d0f4cb]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d5d467]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(rb_ensure+0xb0) [0x7fa814cb22f0]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d5bc6f]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d5e2db]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(ruby_process_options+0x5b) [0x7fa814d5e71b]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(ruby_options+0xb7) [0x7fa814cb3117]
ruby [0x400873]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0) [0x7fa81489e830] ../csu/libc-start.c:291
ruby(_start+0x29) [0x4008a9]

-- Other runtime information -----------------------------------------------

* Loaded script: test.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
    5 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
    6 /usr/lib/ruby/2.3.0/unicode_normalize.rb
    7 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/rbconfig.rb
    8 /usr/lib/ruby/2.3.0/rubygems/compatibility.rb
    9 /usr/lib/ruby/2.3.0/rubygems/defaults.rb
   10 /usr/lib/ruby/2.3.0/rubygems/deprecate.rb
   11 /usr/lib/ruby/2.3.0/rubygems/errors.rb
   12 /usr/lib/ruby/2.3.0/rubygems/version.rb
   13 /usr/lib/ruby/2.3.0/rubygems/requirement.rb
   14 /usr/lib/ruby/2.3.0/rubygems/platform.rb
   15 /usr/lib/ruby/2.3.0/rubygems/basic_specification.rb
   16 /usr/lib/ruby/2.3.0/rubygems/stub_specification.rb
   17 /usr/lib/ruby/2.3.0/rubygems/util/list.rb
   18 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
   19 /usr/lib/ruby/2.3.0/uri/rfc2396_parser.rb
   20 /usr/lib/ruby/2.3.0/uri/rfc3986_parser.rb
   21 /usr/lib/ruby/2.3.0/uri/common.rb
   22 /usr/lib/ruby/2.3.0/uri/generic.rb
   23 /usr/lib/ruby/2.3.0/uri/ftp.rb
   24 /usr/lib/ruby/2.3.0/uri/http.rb
   25 /usr/lib/ruby/2.3.0/uri/https.rb
   26 /usr/lib/ruby/2.3.0/uri/ldap.rb
   27 /usr/lib/ruby/2.3.0/uri/ldaps.rb
   28 /usr/lib/ruby/2.3.0/uri/mailto.rb
   29 /usr/lib/ruby/2.3.0/uri.rb
   30 /usr/lib/ruby/2.3.0/rubygems/specification.rb
   31 /usr/lib/ruby/2.3.0/rubygems/exceptions.rb
   32 /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
   33 /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_gem.rb
   34 /usr/lib/ruby/2.3.0/monitor.rb
   35 /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb
   36 /usr/lib/ruby/2.3.0/rubygems.rb
   37 /usr/lib/ruby/vendor_ruby/did_you_mean/version.rb
   38 /usr/lib/ruby/vendor_ruby/did_you_mean/core_ext/name_error.rb
   39 /usr/lib/ruby/vendor_ruby/did_you_mean/levenshtein.rb
   40 /usr/lib/ruby/vendor_ruby/did_you_mean/jaro_winkler.rb
   41 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkable.rb
   42 /usr/lib/ruby/2.3.0/delegate.rb
   43 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
   44 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
   45 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/name_error_checkers.rb
   46 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/method_name_checker.rb
   47 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/null_checker.rb
   48 /usr/lib/ruby/vendor_ruby/did_you_mean/formatter.rb
   49 /usr/lib/ruby/vendor_ruby/did_you_mean.rb

* Process memory map:

00400000-00401000 r-xp 00000000 08:01 5119895                            /usr/bin/ruby2.3
00600000-00601000 r--p 00000000 08:01 5119895                            /usr/bin/ruby2.3
00601000-00602000 rw-p 00001000 08:01 5119895                            /usr/bin/ruby2.3
018bc000-01e61000 rw-p 00000000 00:00 0                                  [heap]
7fa812be8000-7fa812db1000 r--s 00000000 08:01 2883684                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa812db1000-7fa813021000 r--s 00000000 08:01 5113356                    /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa813021000-7fa813037000 r-xp 00000000 08:01 2888223                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa813037000-7fa813236000 ---p 00016000 08:01 2888223                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa813236000-7fa813237000 rw-p 00015000 08:01 2888223                    /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa813237000-7fa81323e000 r-xp 00000000 08:01 5245635                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
7fa81323e000-7fa81343d000 ---p 00007000 08:01 5245635                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
7fa81343d000-7fa81343e000 r--p 00006000 08:01 5245635                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
7fa81343e000-7fa81343f000 rw-p 00007000 08:01 5245635                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
7fa81343f000-7fa813441000 r-xp 00000000 08:01 5643926                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
7fa813441000-7fa813641000 ---p 00002000 08:01 5643926                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
7fa813641000-7fa813642000 r--p 00002000 08:01 5643926                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
7fa813642000-7fa813643000 rw-p 00003000 08:01 5643926                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
7fa813643000-7fa813645000 r-xp 00000000 08:01 5510480                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
7fa813645000-7fa813844000 ---p 00002000 08:01 5510480                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
7fa813844000-7fa813845000 r--p 00001000 08:01 5510480                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
7fa813845000-7fa813846000 rw-p 00002000 08:01 5510480                    /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
7fa813846000-7fa813c9c000 r--p 00000000 08:01 5113879                    /usr/lib/locale/locale-archive
7fa813c9c000-7fa813da4000 r-xp 00000000 08:01 2883755                    /lib/x86_64-linux-gnu/libm-2.23.so
7fa813da4000-7fa813fa3000 ---p 00108000 08:01 2883755                    /lib/x86_64-linux-gnu/libm-2.23.so
7fa813fa3000-7fa813fa4000 r--p 00107000 08:01 2883755                    /lib/x86_64-linux-gnu/libm-2.23.so
7fa813fa4000-7fa813fa5000 rw-p 00108000 08:01 2883755                    /lib/x86_64-linux-gnu/libm-2.23.so
7fa813fa5000-7fa813fae000 r-xp 00000000 08:01 2883654                    /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fa813fae000-7fa8141ad000 ---p 00009000 08:01 2883654                    /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fa8141ad000-7fa8141ae000 r--p 00008000 08:01 2883654                    /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fa8141ae000-7fa8141af000 rw-p 00009000 08:01 2883654                    /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fa8141af000-7fa8141dd000 rw-p 00000000 00:00 0
7fa8141dd000-7fa8141e0000 r-xp 00000000 08:01 2883645                    /lib/x86_64-linux-gnu/libdl-2.23.so
7fa8141e0000-7fa8143df000 ---p 00003000 08:01 2883645                    /lib/x86_64-linux-gnu/libdl-2.23.so
7fa8143df000-7fa8143e0000 r--p 00002000 08:01 2883645                    /lib/x86_64-linux-gnu/libdl-2.23.so
7fa8143e0000-7fa8143e1000 rw-p 00003000 08:01 2883645                    /lib/x86_64-linux-gnu/libdl-2.23.so
7fa8143e1000-7fa814460000 r-xp 00000000 08:01 5120767                    /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7fa814460000-7fa81465f000 ---p 0007f000 08:01 5120767                    /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7fa81465f000-7fa814660000 r--p 0007e000 08:01 5120767                    /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7fa814660000-7fa814661000 rw-p 0007f000 08:01 5120767                    /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7fa814661000-7fa814679000 r-xp 00000000 08:01 2883647                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7fa814679000-7fa814878000 ---p 00018000 08:01 2883647                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7fa814878000-7fa814879000 r--p 00017000 08:01 2883647                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7fa814879000-7fa81487a000 rw-p 00018000 08:01 2883647                    /lib/x86_64-linux-gnu/libpthread-2.23.so
7fa81487a000-7fa81487e000 rw-p 00000000 00:00 0
7fa81487e000-7fa814a3e000 r-xp 00000000 08:01 2883684                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa814a3e000-7fa814c3e000 ---p 001c0000 08:01 2883684                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa814c3e000-7fa814c42000 r--p 001c0000 08:01 2883684                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa814c42000-7fa814c44000 rw-p 001c4000 08:01 2883684                    /lib/x86_64-linux-gnu/libc-2.23.so
7fa814c44000-7fa814c48000 rw-p 00000000 00:00 0
7fa814c48000-7fa814eb0000 r-xp 00000000 08:01 5113356                    /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa814eb0000-7fa8150b0000 ---p 00268000 08:01 5113356                    /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa8150b0000-7fa8150b6000 r--p 00268000 08:01 5113356                    /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa8150b6000-7fa8150b7000 rw-p 0026e000 08:01 5113356                    /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa8150b7000-7fa8150c7000 rw-p 00000000 00:00 0
7fa8150c7000-7fa8150ed000 r-xp 00000000 08:01 2883646                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa8151c2000-7fa8152c9000 rw-p 00000000 00:00 0
7fa8152e6000-7fa8152e8000 r--s 00000000 08:01 5119895                    /usr/bin/ruby2.3
7fa8152e8000-7fa8152e9000 ---p 00000000 00:00 0
7fa8152e9000-7fa8152ec000 rw-p 00000000 00:00 0
7fa8152ec000-7fa8152ed000 r--p 00025000 08:01 2883646                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa8152ed000-7fa8152ee000 rw-p 00026000 08:01 2883646                    /lib/x86_64-linux-gnu/ld-2.23.so
7fa8152ee000-7fa8152ef000 rw-p 00000000 00:00 0
7fffe49f5000-7fffe51f4000 rw-p 00000000 00:00 0                          [stack]
7fffe51fc000-7fffe51fe000 r--p 00000000 00:00 0                          [vvar]
7fffe51fe000-7fffe5200000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]


[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html

Aborted (core dumped)

Analysis

The issue happens with the latest dev version of ruby and the default ruby version in my Ubuntu.
The bug comes from (renumber_by_map in regcomp.c:1963):

  case NT_ENCLOSE:
    {
      EncloseNode* en = NENCLOSE(node);
      if (en->type == ENCLOSE_CONDITION)
en->regnum = map[en->regnum].new_val;
      r = renumber_by_map(en->target, map);
    }

Here en->regnum is assigned new_val from map without checking the size of map.
With the input "".match /(())(?)((?(90000)))/, map is a 5 - element array and en->regnum = 90000 => en->regnum is assigned a new_val at map[90000] => buffer-over-flow. We can control the offset of the read and control the new_val to be assigned to en->regnum.
You can modify N in "".match /(())(?)((?(N)))/ until you get a crash.
This code is trigger only if the node is ENCLOSE_CONDITION and the following conditions are matched (regcomp.c:5770) and then disable_noname_group_capture is called:

#ifdef USE_NAMED_GROUP
  /* mixed use named group and no-named group */
  if (scan_env.num_named > 0 &&
      IS_SYNTAX_BV(scan_env.syntax, ONIG_SYN_CAPTURE_ONLY_NAMED_GROUP) &&
      !ONIG_IS_OPTION_ON(reg->options, ONIG_OPTION_CAPTURE_GROUP)) {
    if (scan_env.num_named != scan_env.num_mem)
      r = disable_noname_group_capture(&root, reg, &scan_env);

--
Thanks & Regards,
Nguyễn Đức Mạnh
Tarantula Team, VinCSS (Vingroup)


Files

ruby-regcomp-renumber_by_map-sbo.patch (1.95 KB) ruby-regcomp-renumber_by_map-sbo.patch xtkoba (Tee KOBAYASHI), 03/14/2021 02:02 PM

Updated by xtkoba (Tee KOBAYASHI) about 3 years ago

Though the example might be pathological, causing segfaults is not nice.

I wrote a patch to make renumber_by_map (and renumber_node_backref) check the size of the array map before accessing its element.

The behavior after the patch is applied:

$ ./miniruby -e '"".match /(())(?<X>)((?(5)))/'
-e:1: invalid backref number/name: /(())(?<X>)((?(5)))/
Actions #2

Updated by xtkoba (Tee KOBAYASHI) about 3 years ago

  • Status changed from Open to Closed

Applied in changeset git|0846c2da457e7523819236ac7da492029b3ef73d.


Check backref number buffer overrun [Bug #16376]

Actions #3

Updated by nobu (Nobuyoshi Nakada) over 2 years ago

  • Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN to 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED

Updated by nagachika (Tomoyuki Chikanaga) over 2 years ago

  • Backport changed from 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED to 2.6: REQUIRED, 2.7: REQUIRED, 3.0: DONE

ruby_3_0 2aad080396f5b79a33502f1d812fb237968cb931 merged revision(s) 0846c2da457e7523819236ac7da492029b3ef73d,6c7cb00c094332a208cf36e5cd723a9ba60c41b8.

Updated by dcouture-gitlab (Dominic Couture) about 2 years ago

I know this was fixed 6 months ago but I figured it wouldn't hurt to ask: Is a 2.7 backport possible here? Thanks.

Actions #6

Updated by usa (Usaku NAKAMURA) almost 2 years ago

  • Backport changed from 2.6: REQUIRED, 2.7: REQUIRED, 3.0: DONE to 2.6: WONTFIX, 2.7: DONE, 3.0: DONE
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0