diff options
| author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-18 07:22:19 +0000 |
|---|---|---|
| committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-18 07:22:19 +0000 |
| commit | a2da0c2a4d021b65543a9f15e052e937e67e3a18 (patch) | |
| tree | fb0903d123effc0cca96f5486a1bbade05673a32 /test | |
| parent | 1ea42115afaeba2aad4bbe8567be4b938c499d31 (diff) | |
merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport #16105]
Fixed heap-use-after-free
* string.c (rb_str_sub_bang): retrieves a pointer to the
replacement string buffer just before using it, for the case of
replacement with the receiver string itself. [Bug #16105]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67747 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
| -rw-r--r-- | test/ruby/test_string.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index b8ae50d30d..23da909592 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -2008,6 +2008,12 @@ CODE r.taint a.sub!(/./, r) assert_predicate(a, :tainted?) + + bug16105 = '[Bug #16105] heap-use-after-free' + a = S("ABCDEFGHIJKLMNOPQRSTUVWXYZ012345678") + b = a.dup + c = a.slice(1, 100) + assert_equal("AABCDEFGHIJKLMNOPQRSTUVWXYZ012345678", b.sub!(c, b), bug16105) end def test_succ |