ruby.git - The Ruby Programming Language

diff options

author	Peter Zhu <peter@peterzhu.ca>	2025-09-10 19:53:13 -0400
committer	Peter Zhu <peter@peterzhu.ca>	2025-09-11 08:14:25 -0400
commit	b62753246eba4940f82a81736fc09b6517fa3965 (patch)
tree	057a6e7b05b623283d5242a00140731387f2c0e4 /test/ruby
parent	f164e1c03ac8b509563c7305ff2249c21d7b78b3 (diff)

Fix out-of-bounds read in rb_location_ary_to_backtrace

rb_location_ary_to_backtrace was not checking the length of the array before reading the first element. It can be reproduced by the following script: begin raise rescue $@ = [] end With assertions enabled, it crashes with: internal/array.h:143: Assertion Failed: RARRAY_AREF:i < RARRAY_LEN(ary) ruby 3.5.0dev (2025-09-10T19:01:16Z array-aref-assert-.. c431de0c64) +PRISM [arm64-darwin24] -- Crash Report log information -------------------------------------------- See Crash Report log file in one of the following locations: * ~/Library/Logs/DiagnosticReports * /Library/Logs/DiagnosticReports for more details. Don't forget to include the above Crash Report log file in bug reports. -- Control frame information ----------------------------------------------- c:0004 p:---- s:0015 e:000014 CFUNC :set_backtrace c:0003 p:0013 s:0012 e:000009 RESCUE test.rb:4 c:0002 p:0004 s:0006 e:000005 EVAL test.rb:1 [FINISH] c:0001 p:0000 s:0003 E:001bb0 DUMMY [FINISH] -- Ruby level backtrace information ---------------------------------------- test.rb:1:in '<main>' test.rb:4:in 'rescue in <main>' test.rb:4:in 'set_backtrace' -- Threading information --------------------------------------------------- Total ractor count: 1 Ruby thread count for this ractor: 1 -- C level backtrace information ------------------------------------------- miniruby(rb_vm_bugreport+0xb88) [0x1002adb88] vm_dump.c:1175 miniruby(rb_vm_bugreport) (null):0 miniruby(rb_assert_failure_detail+0xd4) [0x1003fbf90] error.c:1215 miniruby(rb_assert_failure_detail+0x0) [0x1003fbebc] error.c:1191 miniruby(rb_assert_failure) (null):0 miniruby(RARRAY_AREF+0x20) [0x1003f82c8] internal/array.h:143 miniruby(rb_keyword_error_new.cold.2) class.c:2867 miniruby(rb_keyword_error_new.cold.4) (null):0 miniruby(rb_location_ary_to_backtrace+0x244) [0x1002a8a60] internal/array.h:143 miniruby(RB_TEST+0x0) [0x1000ba648] error.c:2111 miniruby(exc_set_backtrace) error.c:2112 miniruby(vm_call0_body+0x7d0) [0x1002a414c] vm_eval.c:164 miniruby(rb_vm_call0+0x100) [0x100286ee4] vm_eval.c:101 miniruby(set_backtrace+0xfc) [0x1000c88a4] eval_error.c:75 miniruby(rb_gvar_set_entry+0x10) [0x100269230] variable.c:990 miniruby(rb_gvar_set) variable.c:1021 miniruby(vm_exec_core+0x1258) [0x10027a744] insns.def:319 miniruby(rb_vm_exec+0x324) [0x100277a8c] vm.c:2666 miniruby(rb_ec_exec_node+0x74) [0x1000c4a38] eval.c:282 miniruby(ruby_run_node+0x64) [0x1000c4968] eval.c:320 miniruby(rb_main+0x1c) [0x100000980] main.c:42 miniruby(main) main.c:62

Diffstat (limited to 'test/ruby')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: