Fix use of uninitialized memory in strings

Strings created from the C API with a len but no ptr have a buffer allocated and the length set, but the buffer is not zero'd. This causes use of uninitialized memory and allows reading memory that previously existed there. For example, the rb_str_tmp_new spec fails when we create a string with a large length greater than 24 bytes (since we zero the first 24 bytes of the slot).
author: Peter Zhu <peter@peterzhu.ca> 2025-09-11 10:51:00 -0400
committer: Peter Zhu <peter@peterzhu.ca> 2025-09-12 08:00:54 -0400
commit: 2687ecaf6fc3e07ce3cbe089d0537eb94518c082 (patch)
tree: 651cc9ad47516ff78cb88c3967d9c447279e259c /string.c
parent: 38ec296ce5e7e4cf0ac49b2fa43eec9e6a53e269 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/string.c b/string.c
index 20873a35a5..7b8a55a535 100644
--- a/string.c
+++ b/string.c
@@ -1066,6 +1066,9 @@ str_enc_new(VALUE klass, const char *ptr, long len, rb_encoding *enc)
     if (ptr) {
         memcpy(RSTRING_PTR(str), ptr, len);
     }
+    else {
+        memset(RSTRING_PTR(str), 0, len);
+    }
 
     STR_SET_LEN(str, len);
     TERM_FILL(RSTRING_PTR(str) + len, termlen);
author	Peter Zhu <peter@peterzhu.ca>	2025-09-11 10:51:00 -0400
committer	Peter Zhu <peter@peterzhu.ca>	2025-09-12 08:00:54 -0400
commit	2687ecaf6fc3e07ce3cbe089d0537eb94518c082 (patch)
tree	651cc9ad47516ff78cb88c3967d9c447279e259c /string.c
parent	38ec296ce5e7e4cf0ac49b2fa43eec9e6a53e269 (diff)