diff options
author | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2019-08-15 23:25:37 +0900 |
---|---|---|
committer | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2019-08-15 23:39:14 +0900 |
commit | d5c33364e3c0efb15e11df417c925afee2cdb9c9 (patch) | |
tree | 0a279f68525a5f8ac581d8b72a693067dbd40065 /test/ruby | |
parent | c4152b11a7fbc849a545b34e5b9d85f1fdc1a21f (diff) |
Fixed heap-use-after-free
* string.c (rb_str_sub_bang): retrieves a pointer to the
replacement string buffer just before using it, for the case of
replacement with the receiver string itself. [Bug #16105]
Diffstat (limited to 'test/ruby')
-rw-r--r-- | test/ruby/test_string.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index 7ae3bf272e..36d246f9e0 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -2010,6 +2010,12 @@ CODE r.taint a.sub!(/./, r) assert_predicate(a, :tainted?) + + bug16105 = '[Bug #16105] heap-use-after-free' + a = S("ABCDEFGHIJKLMNOPQRSTUVWXYZ012345678") + b = a.dup + c = a.slice(1, 100) + assert_equal("AABCDEFGHIJKLMNOPQRSTUVWXYZ012345678", b.sub!(c, b), bug16105) end def test_succ |