Project

General

Profile

Actions

Bug #3652

closed

Typo in rb_str_resize causes arbitrary data to be used

Bug #3652: Typo in rb_str_resize causes arbitrary data to be used

Added by jeremyevans0 (Jeremy Evans) about 15 years ago. Updated over 14 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
head, 1.9.2, 1.9.1
Backport:
[ruby-core:31615]

Description

=begin
In rb_str_resize, if resizing a string with 0 length but larger capa to a size less than or equal to RSTRING_EMBED_LEN_MAX (23 bytes on 64-bit platforms, probably 11 bytes on 32-bit platforms), you get random memory contents in the string. For example, this code in a C function can trigger it:

 int len;
 VALUE s;
 s = rb_str_buf_new(127);
 len = snprintf(RSTRING_PTR(s), 127, "123456789");
 return rb_str_resize(s, len);

But if the snprintf line is:

 len = snprintf(RSTRING_PTR(s), 127, "123456789012345678901234");

then the bug does not occur.

This happens because ruby checks if the current length of the string is greater than 0, instead of checking the new length. When you use rb_str_buf_new, you create an empty string buffer (length 0, capa > 127) that you can write into and then truncate to a desired length via rb_str_resize.

I think this fix is important enough to backport to 1.9.2 and 1.9.1, so I've included patches for them as well as head. Hopefully the 1.9.2 fix can be applied before 1.9.2 final is released.
=end


Files

rb_str_resize-head.patch (457 Bytes) rb_str_resize-head.patch Patch for head jeremyevans0 (Jeremy Evans), 08/04/2010 03:20 PM
rb_str_resize-1.9.2.patch (440 Bytes) rb_str_resize-1.9.2.patch Patch for 1.9.2 jeremyevans0 (Jeremy Evans), 08/04/2010 03:20 PM
rb_str_resize-1.9.1.patch (440 Bytes) rb_str_resize-1.9.1.patch Patch for 1.9.1 jeremyevans0 (Jeremy Evans), 08/04/2010 03:20 PM
Actions

Also available in: PDF Atom