From: thoger@... Date: 2014-07-10T18:22:19+00:00 Subject: [ruby-core:63638] [ruby-trunk - Bug #10019] segmentation fault/buffer overrun in pack.c (encodes) Issue #10019 has been updated by Tomas Hoger. Nobuyoshi Nakada wrote: > But if `tail_lf` is 1, `len` is a multiple of 3, so it can't be 3070. `len` in `encodes()` can be anything between 1 and `len` from `pack_pack()` (which is a multiple of 3). It is possible to trigger mentioned off-by-one overflow one of the following ways: * the length of the input string is 3070 (or 3071) and count value for the `m` format directive is 3072 or more * count value for the `m` format directive is exactly 3072 and the length of the input string is n*3072 - 2 (or -1) I.e.: * `["a"*3070].pack("m4000")` * `["a"*(3072*3-2)].pack("m3072")` Depending on platform, compiler, compiler flags, ... this may or may not produce reliable crash. Anyway, it's unclear if that is the problem observed by reporter. The `aws-sdk` and its dependencies only seem to use `pack("m0")`, which can not trigger this overflow. ---------------------------------------- Bug #10019: segmentation fault/buffer overrun in pack.c (encodes) https://bugs.ruby-lang.org/issues/10019#change-47689 * Author: Will Wood * Status: Feedback * Priority: Low * Assignee: * Category: core * Target version: * ruby -v: ruby 2.1.2p168 (2014-07-06 revision 46721) [i386-mingw32] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- While working with an AWS sample I hit a segmentation fault. The same sample works under 1.9.3. It appeared to be coming from pack.c function encodes. After looking at the source there's a 4K buffer allocated on the stack. I made a minor change to base the buffer length off of the incoming buffer length with a pad and allocate it off the heap. Anyway, after fixing this my code sample runs fine. I'm including a patch file and the sample code. ---Files-------------------------------- pack.patch (2.74 KB) BucketTest.rb (326 Bytes) -- https://bugs.ruby-lang.org/