ruby-changes:57151
From: nagachika <ko1@a...>
Date: Sun, 18 Aug 2019 16:32:34 +0900 (JST)
Subject: [ruby-changes:57151] nagachika: a2da0c2a4d (ruby_2_6): merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport #16105]
https://git.ruby-lang.org/ruby.git/commit/?id=a2da0c2a4d From a2da0c2a4d021b65543a9f15e052e937e67e3a18 Mon Sep 17 00:00:00 2001 From: nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> Date: Sun, 18 Aug 2019 07:22:19 +0000 Subject: merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport #16105] Fixed heap-use-after-free * string.c (rb_str_sub_bang): retrieves a pointer to the replacement string buffer just before using it, for the case of replacement with the receiver string itself. [Bug #16105] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67747 b2dd03c8-39d4-4d8f-98ff-823fe69b080e diff --git a/string.c b/string.c index 0caea99..07268f0 100644 --- a/string.c +++ b/string.c @@ -5078,7 +5078,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) https://github.com/ruby/ruby/blob/trunk/string.c#L5078 cr = cr2; } plen = end0 - beg0; - rp = RSTRING_PTR(repl); rlen = RSTRING_LEN(repl); + rlen = RSTRING_LEN(repl); len = RSTRING_LEN(str); if (rlen > plen) { RESIZE_CAPA(str, len + rlen - plen); @@ -5087,6 +5087,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) https://github.com/ruby/ruby/blob/trunk/string.c#L5087 if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } + rp = RSTRING_PTR(repl); memmove(p + beg0, rp, rlen); len += rlen - plen; STR_SET_LEN(str, len); diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index b8ae50d..23da909 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -2008,6 +2008,12 @@ CODE https://github.com/ruby/ruby/blob/trunk/test/ruby/test_string.rb#L2008 r.taint a.sub!(/./, r) assert_predicate(a, :tainted?) + + bug16105 = '[Bug #16105] heap-use-after-free' + a = S("ABCDEFGHIJKLMNOPQRSTUVWXYZ012345678") + b = a.dup + c = a.slice(1, 100) + assert_equal("AABCDEFGHIJKLMNOPQRSTUVWXYZ012345678", b.sub!(c, b), bug16105) end def test_succ diff --git a/version.h b/version.h index 5ea21f1..1b1ef96 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/version.h#L1 #define RUBY_VERSION "2.6.3" #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 97 +#define RUBY_PATCHLEVEL 98 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 8 -- cgit v0.10.2 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/