Project

General

Profile

Actions

Bug #2383

closed

windows - calling FreeEnvironmentStrings on envarea invalidates memory in use

Added by mosbessus (Mos Bessus) over 14 years ago. Updated over 4 years ago.

Status:
Rejected
Assignee:
-
ruby -v:
ruby 1.9.1p0 (2009-01-30 revision 21907) [i386-mswin32]
[ruby-core:26813]

Description

=begin
In win32.c, in rb_w32_getenv, the code calls FreeEnvironmentStrings(envarea). By doing this, it invalidates memory that's currently in use.

see env_fetch in hash.c:

...
env = getenv(nam);
...
if (ENVMATCH(nam, PATH_ENV) && !rb_env_path_tainted())
return rb_str_new2(env);

and in rb_env_path_tainted:

 if (path_tainted < 0) {
path_tainted_p(getenv(PATH_ENV));
 }

the getenv call in rb_env_path_tainted frees envarea, but there's still an outstanding reference to memory in envarea: env, from env_fetch. Then we try to create a new string from env and dereference freed memory.

The repro is very simple:

print "#{ENV["path"]}\n"

run this under the debugger with pageheap on.
=end

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0