From: Charlie Savage Date: 2009-03-12T15:17:59+09:00 Subject: [ruby-core:22852] [Bug #1274] Heap Corruption in float#to_s Bug #1274: Heap Corruption in float#to_s http://redmine.ruby-lang.org/issues/show/1274 Author: Charlie Savage Status: Open, Priority: High Category: core, Target version: 1.9.1 ruby -v: ruby 1.9.2dev (2009-03-12) [i386-mswin32_90] Ruby compiled with -RCT1, VC 2008 Ruby code: -0.0.to_s Result: Heap corruption. Problem: 1. util.c:3222 return nrv_alloc("0", rve, 1); 2. util.c:3069 static char * nrv_alloc(const char *s, char **rve, int n) { char *rv, *t; t = rv = rv_alloc(n); while ((*t = *s++) != 0) t++; if (rve) *rve = t; return rv; } 3. The loop writes the first byte of rv buffer to '30'. It then writes the *second* byte to '0' causing a buffer overrun. Fix is simple, change line 3073 to: t = rv = rv_alloc(n+1); ---------------------------------------- http://redmine.ruby-lang.org