From 416249b3fdf1a0de60d1ca25aacbaba5a5a148f8 Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 26 Aug 2019 16:49:07 +0000
Subject: merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport
 #16105] 	Fixed heap-use-after-free

	* string.c (rb_str_sub_bang): retrieves a pointer to the
	  replacement string buffer just before using it, for the case of
	  replacement with the receiver string itself.  [Bug #16105]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67773 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 test/ruby/test_string.rb | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'test')

diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb
index 2aed90193e..9574ed31c9 100644
--- a/test/ruby/test_string.rb
+++ b/test/ruby/test_string.rb
@@ -1946,6 +1946,12 @@ CODE
     r.taint
     a.sub!(/./, r)
     assert_predicate(a, :tainted?)
+
+    bug16105 = '[Bug #16105] heap-use-after-free'
+    a = S("ABCDEFGHIJKLMNOPQRSTUVWXYZ012345678")
+    b = a.dup
+    c = a.slice(1, 100)
+    assert_equal("AABCDEFGHIJKLMNOPQRSTUVWXYZ012345678", b.sub!(c, b), bug16105)
   end
 
   def test_succ
-- 
cgit v1.2.3