archive/ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2025-08-28 15:36:16 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

String#b: Don't depend on dependent string

Browse source 
Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.

The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to @wanabe for using eval as a cross-version way
of registering a fstring.

```ruby
a = ('j' * 24).b.b
eval('', binding, a)

p a
4.times { GC.start }
p a
```

 - string.c (str_replace_shared_without_enc): when given a
   dependent string, depend on the root of the dependent
   string.

[Bug #15934]
This commit is contained in:
Alan Wu 2019-05-12 20:22:37 -04:00 committed by Nobuyoshi Nakada
parent 39a8c71424
commit 9dec4e8fc3
No known key found for this signature in database
GPG key ID: 4BC7D6DF58D8DF60
2 changed files with 19 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
test/ruby/test_string.rb
View file

@ -2983,6 +2983,14 @@ CODE
assert_equal(('a' * 24), a, '[Bug #15792]')
end
def test_nesting_shared_b
a = ('j' * 24).b.b
eval('', binding, a)
assert_equal(('j' * 24), a)
4.times { GC.start }
assert_equal(('j' * 24), a, '[Bug #15934]')
end
def test_shared_force_encoding
s = "\u{3066}\u{3059}\u{3068}".gsub(//, '')
h = {}