From: Jeremy Evans <redmine@...>
Date: 2010-08-04T15:20:44+09:00
Subject: [ruby-core:31615] [Bug #3652] Typo in rb_str_resize causes arbitrary data to be used

Bug #3652: Typo in rb_str_resize causes arbitrary data to be used
http://redmine.ruby-lang.org/issues/show/3652

Author: Jeremy Evans
Status: Open, Priority: High
ruby -v: head, 1.9.2, 1.9.1

In rb_str_resize, if resizing a string with 0 length but larger capa to a size less than or equal to RSTRING_EMBED_LEN_MAX (23 bytes on 64-bit platforms, probably 11 bytes on 32-bit platforms), you get random memory contents in the string.  For example, this code in a C function can trigger it:

    int len;
    VALUE s;
    s = rb_str_buf_new(127);
    len = snprintf(RSTRING_PTR(s), 127, "123456789");
    return rb_str_resize(s, len);

But if the snprintf line is:

    len = snprintf(RSTRING_PTR(s), 127, "123456789012345678901234");

then the bug does not occur.

This happens because ruby checks if the current length of the string is greater than 0, instead of checking the new length.  When you use rb_str_buf_new, you create an empty string buffer (length 0, capa > 127) that you can write into and then truncate to a desired length via rb_str_resize.

I think this fix is important enough to backport to 1.9.2 and 1.9.1, so I've included patches for them as well as head.  Hopefully the 1.9.2 fix can be applied before 1.9.2 final is released.


----------------------------------------
http://redmine.ruby-lang.org