From 2687ecaf6fc3e07ce3cbe089d0537eb94518c082 Mon Sep 17 00:00:00 2001 From: Peter Zhu Date: Thu, 11 Sep 2025 10:51:00 -0400 Subject: Fix use of uninitialized memory in strings Strings created from the C API with a len but no ptr have a buffer allocated and the length set, but the buffer is not zero'd. This causes use of uninitialized memory and allows reading memory that previously existed there. For example, the rb_str_tmp_new spec fails when we create a string with a large length greater than 24 bytes (since we zero the first 24 bytes of the slot). --- string.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'string.c') diff --git a/string.c b/string.c index 20873a35a5..7b8a55a535 100644 --- a/string.c +++ b/string.c @@ -1066,6 +1066,9 @@ str_enc_new(VALUE klass, const char *ptr, long len, rb_encoding *enc) if (ptr) { memcpy(RSTRING_PTR(str), ptr, len); } + else { + memset(RSTRING_PTR(str), 0, len); + } STR_SET_LEN(str, len); TERM_FILL(RSTRING_PTR(str) + len, termlen); -- cgit v1.2.3