diff options
author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-18 07:22:19 +0000 |
---|---|---|
committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-18 07:22:19 +0000 |
commit | a2da0c2a4d021b65543a9f15e052e937e67e3a18 (patch) | |
tree | fb0903d123effc0cca96f5486a1bbade05673a32 | |
parent | 1ea42115afaeba2aad4bbe8567be4b938c499d31 (diff) |
merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport #16105]
Fixed heap-use-after-free
* string.c (rb_str_sub_bang): retrieves a pointer to the
replacement string buffer just before using it, for the case of
replacement with the receiver string itself. [Bug #16105]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67747 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | string.c | 3 | ||||
-rw-r--r-- | test/ruby/test_string.rb | 6 | ||||
-rw-r--r-- | version.h | 2 |
3 files changed, 9 insertions, 2 deletions
@@ -5078,7 +5078,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) cr = cr2; } plen = end0 - beg0; - rp = RSTRING_PTR(repl); rlen = RSTRING_LEN(repl); + rlen = RSTRING_LEN(repl); len = RSTRING_LEN(str); if (rlen > plen) { RESIZE_CAPA(str, len + rlen - plen); @@ -5087,6 +5087,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } + rp = RSTRING_PTR(repl); memmove(p + beg0, rp, rlen); len += rlen - plen; STR_SET_LEN(str, len); diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index b8ae50d30d..23da909592 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -2008,6 +2008,12 @@ CODE r.taint a.sub!(/./, r) assert_predicate(a, :tainted?) + + bug16105 = '[Bug #16105] heap-use-after-free' + a = S("ABCDEFGHIJKLMNOPQRSTUVWXYZ012345678") + b = a.dup + c = a.slice(1, 100) + assert_equal("AABCDEFGHIJKLMNOPQRSTUVWXYZ012345678", b.sub!(c, b), bug16105) end def test_succ @@ -1,6 +1,6 @@ #define RUBY_VERSION "2.6.3" #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 97 +#define RUBY_PATCHLEVEL 98 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 8 |