Project

General

Profile

Actions
Copy link

Bug #3652

closed

Typo in rb_str_resize causes arbitrary data to be used

Bug #3652: Typo in rb_str_resize causes arbitrary data to be used

Added by jeremyevans0 (Jeremy Evans) about 15 years ago. Updated over 14 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
head, 1.9.2, 1.9.1
Backport:
[ruby-core:31615]

Description

=begin
In rb_str_resize, if resizing a string with 0 length but larger capa to a size less than or equal to RSTRING_EMBED_LEN_MAX (23 bytes on 64-bit platforms, probably 11 bytes on 32-bit platforms), you get random memory contents in the string. For example, this code in a C function can trigger it:

 int len;
 VALUE s;
 s = rb_str_buf_new(127);
 len = snprintf(RSTRING_PTR(s), 127, "123456789");
 return rb_str_resize(s, len);

But if the snprintf line is:

 len = snprintf(RSTRING_PTR(s), 127, "123456789012345678901234");

then the bug does not occur.

This happens because ruby checks if the current length of the string is greater than 0, instead of checking the new length. When you use rb_str_buf_new, you create an empty string buffer (length 0, capa > 127) that you can write into and then truncate to a desired length via rb_str_resize.

I think this fix is important enough to backport to 1.9.2 and 1.9.1, so I've included patches for them as well as head. Hopefully the 1.9.2 fix can be applied before 1.9.2 final is released.
=end

Files

Download all files
rb_str_resize-head.patch (457 Bytes) rb_str_resize-head.patch Patch for head jeremyevans0 (Jeremy Evans), 08/04/2010 03:20 PM
rb_str_resize-1.9.2.patch (440 Bytes) rb_str_resize-1.9.2.patch Patch for 1.9.2 jeremyevans0 (Jeremy Evans), 08/04/2010 03:20 PM
rb_str_resize-1.9.1.patch (440 Bytes) rb_str_resize-1.9.1.patch Patch for 1.9.1 jeremyevans0 (Jeremy Evans), 08/04/2010 03:20 PM

Updated by nobu (Nobuyoshi Nakada) about 15 years ago Actions
Copy link
 #1

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

=begin
This issue was solved with changeset r28851.
Jeremy, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

=end

Updated by nobu (Nobuyoshi Nakada) about 15 years ago Actions
Copy link
 #2

  • Category set to ext
  • Status changed from Closed to Assigned
  • Assignee set to yugui (Yuki Sonoda)

=begin

=end

Updated by nobu (Nobuyoshi Nakada) about 15 years ago Actions
Copy link
 #3

  • Status changed from Assigned to Open
  • Assignee deleted (yugui (Yuki Sonoda))

=begin

=end

Updated by nobu (Nobuyoshi Nakada) about 15 years ago Actions
Copy link
 #4

  • Category set to ext
  • Priority changed from 5 to 3

=begin
rb_str_resize needs the length to be set before the call.
You should use rb_str_set_len instead.
I'd mention this in README.EXT later.

=end

Updated by nobu (Nobuyoshi Nakada) about 15 years ago Actions
Copy link
 #5

  • Status changed from Open to Closed

=begin
This issue was solved with changeset r28857.
Jeremy, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

=end

Actions
Copy link

Also available in: PDF Atom