diff options
| author | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-26 16:49:07 +0000 |
|---|---|---|
| committer | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-26 16:49:07 +0000 |
| commit | 416249b3fdf1a0de60d1ca25aacbaba5a5a148f8 (patch) | |
| tree | 42494cd3f3beb41c746dd016b06550ff9531dfe8 /string.c | |
| parent | f8efd7f9e852adda9fddb5682360bde263352e02 (diff) | |
merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport #16105]
Fixed heap-use-after-free
* string.c (rb_str_sub_bang): retrieves a pointer to the
replacement string buffer just before using it, for the case of
replacement with the receiver string itself. [Bug #16105]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67773 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'string.c')
| -rw-r--r-- | string.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -5007,7 +5007,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) cr = cr2; } plen = end0 - beg0; - rp = RSTRING_PTR(repl); rlen = RSTRING_LEN(repl); + rlen = RSTRING_LEN(repl); len = RSTRING_LEN(str); if (rlen > plen) { RESIZE_CAPA(str, len + rlen - plen); @@ -5016,6 +5016,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } + rp = RSTRING_PTR(repl); memmove(p + beg0, rp, rlen); len += rlen - plen; STR_SET_LEN(str, len); |