Fix a use-after-free bug by avoiding rb_str_new_frozen
str2 = rb_str_new_frozen(str1) seems to make str1 a shared string that
refers to str2, but str2 is not marked as STR_IS_SHARED_M nor
STR_NOFREE. rb_fstring(str2) frees str2's ptr because it is not marked, and the
free'ed pointer is the same as str1's ptr.
After that, accessing str1 may cause use-after-free memory corruption.
I guess this is a bug of rb_str_new_frozen, but I'm completely unsure
what it should be; the string states and flags are not documented.
So, this is a workaround for [Bug #16136]. I confirmed that rspec of
activeadmin runs gracefully.
Added by mame (Yusuke Endoh) over 4 years ago
Fix a use-after-free bug by avoiding rb_str_new_frozen
str2 = rb_str_new_frozen(str1)seems to make str1 a shared string thatrefers to str2, but str2 is not marked as STR_IS_SHARED_M nor
STR_NOFREE.
rb_fstring(str2)frees str2's ptr because it is not marked, and thefree'ed pointer is the same as str1's ptr.
After that, accessing str1 may cause use-after-free memory corruption.
I guess this is a bug of rb_str_new_frozen, but I'm completely unsure
what it should be; the string states and flags are not documented.
So, this is a workaround for [Bug #16136]. I confirmed that rspec of
activeadmin runs gracefully.