kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

Fix a use-after-free bug by avoiding rb_str_new_frozen

Browse source 
`str2 = rb_str_new_frozen(str1)` seems to make str1 a shared string that
refers to str2, but str2 is not marked as STR_IS_SHARED_M nor
STR_NOFREE.
`rb_fstring(str2)` frees str2's ptr because it is not marked, and the
free'ed pointer is the same as str1's ptr.
After that, accessing str1 may cause use-after-free memory corruption.

I guess this is a bug of rb_str_new_frozen, but I'm completely unsure
what it should be; the string states and flags are not documented.
So, this is a workaround for [Bug #16136].  I confirmed that rspec of
activeadmin runs gracefully.
This commit is contained in:
Yusuke Endoh 2019-09-06 23:18:26 +09:00
parent 055b441093
commit ade1283ca2
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
symbol.c
View file

@ -739,7 +739,8 @@ rb_str_intern(VALUE str)
enc = ascii; enc = ascii;
} }
else { else {
str = rb_str_new_frozen(str); str = rb_str_dup(str);
OBJ_FREEZE(str);
} }
str = rb_fstring(str); str = rb_fstring(str);
type = rb_str_symname_type(str, IDSET_ATTRSET_FOR_INTERN); type = rb_str_symname_type(str, IDSET_ATTRSET_FOR_INTERN);