From d5c33364e3c0efb15e11df417c925afee2cdb9c9 Mon Sep 17 00:00:00 2001 From: Nobuyoshi Nakada Date: Thu, 15 Aug 2019 23:25:37 +0900 Subject: Fixed heap-use-after-free * string.c (rb_str_sub_bang): retrieves a pointer to the replacement string buffer just before using it, for the case of replacement with the receiver string itself. [Bug #16105] --- string.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'string.c') diff --git a/string.c b/string.c index 9331532d15..6ec0514ba4 100644 --- a/string.c +++ b/string.c @@ -5098,7 +5098,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) cr = cr2; } plen = end0 - beg0; - rp = RSTRING_PTR(repl); rlen = RSTRING_LEN(repl); + rlen = RSTRING_LEN(repl); len = RSTRING_LEN(str); if (rlen > plen) { RESIZE_CAPA(str, len + rlen - plen); @@ -5107,6 +5107,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } + rp = RSTRING_PTR(repl); memmove(p + beg0, rp, rlen); len += rlen - plen; STR_SET_LEN(str, len); -- cgit v1.2.3