Project

General

Profile

Bug #2383

windows - calling FreeEnvironmentStrings on envarea invalidates memory in use

Added by mosbessus (Mos Bessus) almost 10 years ago. Updated 26 days ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
ruby -v:
ruby 1.9.1p0 (2009-01-30 revision 21907) [i386-mswin32]
[ruby-core:26813]

Description

=begin
In win32.c, in rb_w32_getenv, the code calls FreeEnvironmentStrings(envarea). By doing this, it invalidates memory that's currently in use.

see env_fetch in hash.c:

...
env = getenv(nam);
...
if (ENVMATCH(nam, PATH_ENV) && !rb_env_path_tainted())
return rb_str_new2(env);

and in rb_env_path_tainted:

 if (path_tainted < 0) {
path_tainted_p(getenv(PATH_ENV));
 }

the getenv call in rb_env_path_tainted frees envarea, but there's still an outstanding reference to memory in envarea: env, from env_fetch. Then we try to create a new string from env and dereference freed memory.

The repro is very simple:

print "#{ENV["path"]}\n"

run this under the debugger with pageheap on.
=end

History

#1

Updated by ujihisa (Tatsuhiro Ujihisa) almost 10 years ago

  • Status changed from Open to Assigned
  • Assignee set to usa (Usaku NAKAMURA)

=begin

=end

#2

Updated by usa (Usaku NAKAMURA) almost 10 years ago

  • Status changed from Assigned to Open
  • Assignee deleted (usa (Usaku NAKAMURA))

=begin
See the definition of getenv in posix.
This is not a problem of Windows but a bug of the main body of ruby in clearness.
=end

#3

Updated by jeremyevans0 (Jeremy Evans) 26 days ago

  • Status changed from Open to Rejected
  • Description updated (diff)

Also available in: Atom PDF