diff options
author | Alan Wu <XrXr@users.noreply.github.com> | 2019-05-12 20:22:37 -0400 |
---|---|---|
committer | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2019-06-18 12:18:13 +0900 |
commit | 9dec4e8fc3a6018261834b5ac9b9877f787b97ca (patch) | |
tree | e0a8dd295390ae966ac937590b20eefab658bd09 | |
parent | 39a8c7142400d582ac4bb02a1804a5949f8da9bc (diff) |
String#b: Don't depend on dependent string
Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.
The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to @wanabe for using eval as a cross-version way
of registering a fstring.
```ruby
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
```
- string.c (str_replace_shared_without_enc): when given a
dependent string, depend on the root of the dependent
string.
[Bug #15934]
-rw-r--r-- | string.c | 15 | ||||
-rw-r--r-- | test/ruby/test_string.rb | 8 |
2 files changed, 19 insertions, 4 deletions
@@ -1161,19 +1161,26 @@ str_replace_shared_without_enc(VALUE str2, VALUE str) TERM_FILL(ptr2+len, termlen); } else { - str = rb_str_new_frozen(str); + VALUE root; + if (STR_SHARED_P(str)) { + root = RSTRING(str)->as.heap.aux.shared; + RSTRING_GETMEM(str, ptr, len); + } + else { + root = rb_str_new_frozen(str); + RSTRING_GETMEM(root, ptr, len); + } if (!STR_EMBED_P(str2) && !FL_TEST_RAW(str2, STR_SHARED|STR_NOFREE)) { /* TODO: check if str2 is a shared root */ char *ptr2 = STR_HEAP_PTR(str2); - if (STR_HEAP_PTR(str) != ptr2) { + if (ptr2 != ptr) { ruby_sized_xfree(ptr2, STR_HEAP_SIZE(str2)); } } FL_SET(str2, STR_NOEMBED); - RSTRING_GETMEM(str, ptr, len); RSTRING(str2)->as.heap.len = len; RSTRING(str2)->as.heap.ptr = ptr; - STR_SET_SHARED(str2, str); + STR_SET_SHARED(str2, root); } return str2; } diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index f0649b092f..35f27c8b75 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -2983,6 +2983,14 @@ CODE assert_equal(('a' * 24), a, '[Bug #15792]') end + def test_nesting_shared_b + a = ('j' * 24).b.b + eval('', binding, a) + assert_equal(('j' * 24), a) + 4.times { GC.start } + assert_equal(('j' * 24), a, '[Bug #15934]') + end + def test_shared_force_encoding s = "\u{3066}\u{3059}\u{3068}".gsub(//, '') h = {} |