kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

String#b: Don't depend on dependent string

Browse source 
Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.

The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to @wanabe for using eval as a cross-version way
of registering a fstring.

```ruby
a = ('j' * 24).b.b
eval('', binding, a)

p a
4.times { GC.start }
p a
```

 - string.c (str_replace_shared_without_enc): when given a
   dependent string, depend on the root of the dependent
   string.

[Bug #15934]
This commit is contained in:
Alan Wu 2019-05-12 20:22:37 -04:00 committed by Nobuyoshi Nakada
parent 39a8c71424
commit 9dec4e8fc3
No known key found for this signature in database
GPG key ID: 4BC7D6DF58D8DF60
2 changed files with 19 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
string.c
View file

@ -1161,19 +1161,26 @@ str_replace_shared_without_enc(VALUE str2, VALUE str)
TERM_FILL(ptr2+len, termlen); TERM_FILL(ptr2+len, termlen);
} }
else { else {
str = rb_str_new_frozen(str); VALUE root;
if (STR_SHARED_P(str)) {
root = RSTRING(str)->as.heap.aux.shared;
RSTRING_GETMEM(str, ptr, len);
}
else {
root = rb_str_new_frozen(str);
RSTRING_GETMEM(root, ptr, len);
}
if (!STR_EMBED_P(str2) && !FL_TEST_RAW(str2, STR_SHARED|STR_NOFREE)) { if (!STR_EMBED_P(str2) && !FL_TEST_RAW(str2, STR_SHARED|STR_NOFREE)) {
/* TODO: check if str2 is a shared root */ /* TODO: check if str2 is a shared root */
char *ptr2 = STR_HEAP_PTR(str2); char *ptr2 = STR_HEAP_PTR(str2);
if (STR_HEAP_PTR(str) != ptr2) { if (ptr2 != ptr) {
ruby_sized_xfree(ptr2, STR_HEAP_SIZE(str2)); ruby_sized_xfree(ptr2, STR_HEAP_SIZE(str2));
} }
} }
FL_SET(str2, STR_NOEMBED); FL_SET(str2, STR_NOEMBED);
RSTRING_GETMEM(str, ptr, len);
RSTRING(str2)->as.heap.len = len; RSTRING(str2)->as.heap.len = len;
RSTRING(str2)->as.heap.ptr = ptr; RSTRING(str2)->as.heap.ptr = ptr;
STR_SET_SHARED(str2, str); STR_SET_SHARED(str2, root);
} }
return str2; return str2;
} }

8
test/ruby/test_string.rb
View file

@ -2983,6 +2983,14 @@ CODE
assert_equal(('a' * 24), a, '[Bug #15792]') assert_equal(('a' * 24), a, '[Bug #15792]')
end end
def test_nesting_shared_b
a = ('j' * 24).b.b
eval('', binding, a)
assert_equal(('j' * 24), a)
4.times { GC.start }
assert_equal(('j' * 24), a, '[Bug #15934]')
end
def test_shared_force_encoding def test_shared_force_encoding
s = "\u{3066}\u{3059}\u{3068}".gsub(//, '') s = "\u{3066}\u{3059}\u{3068}".gsub(//, '')
h = {} h = {}