ruby-changes:57287
From: usa <ko1@a...>
Date: Tue, 27 Aug 2019 01:49:21 +0900 (JST)
Subject: [ruby-changes:57287] usa: 416249b3fd (ruby_2_5): merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport #16105]
https://git.ruby-lang.org/ruby.git/commit/?id=416249b3fd From 416249b3fdf1a0de60d1ca25aacbaba5a5a148f8 Mon Sep 17 00:00:00 2001 From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> Date: Mon, 26 Aug 2019 16:49:07 +0000 Subject: merge revision(s) d5c33364e3c0efb15e11df417c925afee2cdb9c9: [Backport #16105] Fixed heap-use-after-free * string.c (rb_str_sub_bang): retrieves a pointer to the replacement string buffer just before using it, for the case of replacement with the receiver string itself. [Bug #16105] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67773 b2dd03c8-39d4-4d8f-98ff-823fe69b080e diff --git a/string.c b/string.c index ab04ac7..1f52f26 100644 --- a/string.c +++ b/string.c @@ -5007,7 +5007,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) https://github.com/ruby/ruby/blob/trunk/string.c#L5007 cr = cr2; } plen = end0 - beg0; - rp = RSTRING_PTR(repl); rlen = RSTRING_LEN(repl); + rlen = RSTRING_LEN(repl); len = RSTRING_LEN(str); if (rlen > plen) { RESIZE_CAPA(str, len + rlen - plen); @@ -5016,6 +5016,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) https://github.com/ruby/ruby/blob/trunk/string.c#L5016 if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } + rp = RSTRING_PTR(repl); memmove(p + beg0, rp, rlen); len += rlen - plen; STR_SET_LEN(str, len); diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index 2aed901..9574ed3 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -1946,6 +1946,12 @@ CODE https://github.com/ruby/ruby/blob/trunk/test/ruby/test_string.rb#L1946 r.taint a.sub!(/./, r) assert_predicate(a, :tainted?) + + bug16105 = '[Bug #16105] heap-use-after-free' + a = S("ABCDEFGHIJKLMNOPQRSTUVWXYZ012345678") + b = a.dup + c = a.slice(1, 100) + assert_equal("AABCDEFGHIJKLMNOPQRSTUVWXYZ012345678", b.sub!(c, b), bug16105) end def test_succ diff --git a/version.h b/version.h index ca386c0..c0e1f14 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/version.h#L1 #define RUBY_VERSION "2.5.6" #define RUBY_RELEASE_DATE "2019-08-27" -#define RUBY_PATCHLEVEL 191 +#define RUBY_PATCHLEVEL 192 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 8 -- cgit v0.10.2 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/