[前][次][番号順一覧][スレッド一覧]

ruby-changes:56853

From: nagachika <ko1@a...>
Date: Wed, 7 Aug 2019 21:24:09 +0900 (JST)
Subject: [ruby-changes:56853] nagachika: 8a94d4b0d4 (ruby_2_6): merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934]

https://git.ruby-lang.org/ruby.git/commit/?id=8a94d4b0d4

From 8a94d4b0d4f988d4e6dc2d3556e2504f44afab4b Mon Sep 17 00:00:00 2001
From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 7 Aug 2019 12:23:48 +0000
Subject: merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport
 #15934]

	String#b: Don't depend on dependent string

	Registering a string that depend on a dependent string as fstring
	can lead to use-after-free. See c06ddfe and 3f95620 for details.

	The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
	and 2.6.3. Credits to @wanabe for using eval as a cross-version way
	of registering a fstring.

	```ruby
	a = ('j' * 24).b.b
	eval('', binding, a)

	p a
	4.times { GC.start }
	p a
	```

	 - string.c (str_replace_shared_without_enc): when given a
	   dependent string, depend on the root of the dependent
	   string.

	[Bug #15934]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67733 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

diff --git a/string.c b/string.c
index 847533a..90ae17f 100644
--- a/string.c
+++ b/string.c
@@ -1163,19 +1163,26 @@ str_replace_shared_without_enc(VALUE str2, VALUE str) https://github.com/ruby/ruby/blob/trunk/string.c#L1163
 	TERM_FILL(ptr2+len, termlen);
     }
     else {
-	str = rb_str_new_frozen(str);
+        VALUE root;
+        if (STR_SHARED_P(str)) {
+            root = RSTRING(str)->as.heap.aux.shared;
+            RSTRING_GETMEM(str, ptr, len);
+        }
+        else {
+            root = rb_str_new_frozen(str);
+            RSTRING_GETMEM(root, ptr, len);
+        }
         if (!STR_EMBED_P(str2) && !FL_TEST_RAW(str2, STR_SHARED|STR_NOFREE)) {
             /* TODO: check if str2 is a shared root */
             char *ptr2 = STR_HEAP_PTR(str2);
-            if (STR_HEAP_PTR(str) != ptr2) {
+            if (ptr2 != ptr) {
                 ruby_sized_xfree(ptr2, STR_HEAP_SIZE(str2));
             }
         }
 	FL_SET(str2, STR_NOEMBED);
-	RSTRING_GETMEM(str, ptr, len);
 	RSTRING(str2)->as.heap.len = len;
 	RSTRING(str2)->as.heap.ptr = ptr;
-	STR_SET_SHARED(str2, str);
+	STR_SET_SHARED(str2, root);
     }
     return str2;
 }
diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb
index d50380a..de22815 100644
--- a/test/ruby/test_string.rb
+++ b/test/ruby/test_string.rb
@@ -2981,6 +2981,14 @@ CODE https://github.com/ruby/ruby/blob/trunk/test/ruby/test_string.rb#L2981
     assert_equal(('a' * 24), a, '[Bug #15792]')
   end
 
+  def test_nesting_shared_b
+    a = ('j' * 24).b.b
+    eval('', binding, a)
+    assert_equal(('j' * 24), a)
+    4.times { GC.start }
+    assert_equal(('j' * 24), a, '[Bug #15934]')
+  end
+
   def test_shared_force_encoding
     s = "\u{3066}\u{3059}\u{3068}".gsub(//, '')
     h = {}
diff --git a/version.h b/version.h
index 0bd57f4..cf1760a 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/version.h#L1
 #define RUBY_VERSION "2.6.3"
 #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR
-#define RUBY_PATCHLEVEL 83
+#define RUBY_PATCHLEVEL 84
 
 #define RUBY_RELEASE_YEAR 2019
 #define RUBY_RELEASE_MONTH 8
-- 
cgit v0.10.2


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]