diff options
| author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-07 12:23:48 +0000 |
|---|---|---|
| committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-07 12:23:48 +0000 |
| commit | 8a94d4b0d4f988d4e6dc2d3556e2504f44afab4b (patch) | |
| tree | 19ae6d1ec9be5a676914a36606ab76deb92352f7 /test | |
| parent | da36d5700d9e0e66411d93595b6f654c85853fa1 (diff) | |
merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934]
String#b: Don't depend on dependent string
Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.
The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to @wanabe for using eval as a cross-version way
of registering a fstring.
```ruby
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
```
- string.c (str_replace_shared_without_enc): when given a
dependent string, depend on the root of the dependent
string.
[Bug #15934]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67733 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
| -rw-r--r-- | test/ruby/test_string.rb | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index d50380aaf6..de22815a38 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -2981,6 +2981,14 @@ CODE assert_equal(('a' * 24), a, '[Bug #15792]') end + def test_nesting_shared_b + a = ('j' * 24).b.b + eval('', binding, a) + assert_equal(('j' * 24), a) + 4.times { GC.start } + assert_equal(('j' * 24), a, '[Bug #15934]') + end + def test_shared_force_encoding s = "\u{3066}\u{3059}\u{3068}".gsub(//, '') h = {} |