Actions
Bug #2383
closedwindows - calling FreeEnvironmentStrings on envarea invalidates memory in use
Status:
Rejected
Assignee:
-
ruby -v:
ruby 1.9.1p0 (2009-01-30 revision 21907) [i386-mswin32]
Description
=begin
In win32.c, in rb_w32_getenv, the code calls FreeEnvironmentStrings(envarea). By doing this, it invalidates memory that's currently in use.
see env_fetch in hash.c:
...
env = getenv(nam);
...
if (ENVMATCH(nam, PATH_ENV) && !rb_env_path_tainted())
return rb_str_new2(env);
and in rb_env_path_tainted:
if (path_tainted < 0) {
path_tainted_p(getenv(PATH_ENV));
}
the getenv call in rb_env_path_tainted frees envarea, but there's still an outstanding reference to memory in envarea: env, from env_fetch. Then we try to create a new string from env and dereference freed memory.
The repro is very simple:
print "#{ENV["path"]}\n"
run this under the debugger with pageheap on.
=end
Actions
Like0
Like0Like0Like0