From: thoger@...
Date: 2014-07-28T15:42:43+00:00
Subject: [ruby-core:64103] [ruby-trunk - Bug #10019] segmentation fault/buffer overrun in pack.c (encodes)

Issue #10019 has been updated by Tomas Hoger.


Will Wood wrote:
> Here's the issue.  In the loop (len >= 3) you check to see if there's enough room in buff.  Unfortunately if len < 3 we don't flush the buffer and then write additional bytes onto the end without checking.

The check at the end of each iteration of the while loop ensures that there are at least 4 bytes left in the buff.  So there is enough space to write additional 4 output bytes for the remaining 1 or 2 input bytes with padding if 0 < len < 3.  Only the additional '\n' written in the tail_lf == 1 case was not accounted for, and was addressed by the +1.

> You also don't need the + 1 byte or a 4K buffer either, your call but patch is 256 bytes for the buffer.

Can you test with just one of the two changes - either force flush if len < 3, or reduce buff_size?

----------------------------------------
Bug #10019: segmentation fault/buffer overrun in pack.c (encodes)
https://bugs.ruby-lang.org/issues/10019#change-48114

* Author: Will Wood
* Status: Feedback
* Priority: Normal
* Assignee: 
* Category: core
* Target version: 
* ruby -v: ruby 2.1.2p168 (2014-07-06 revision 46721) [i386-mingw32]
* Backport: 2.0.0: REQUIRED, 2.1: DONE
----------------------------------------
While working with an AWS sample I hit a segmentation fault.  The same sample works under 1.9.3.  It appeared to be coming from pack.c function encodes.  After looking at the source there's a 4K buffer allocated on the stack.  I made a minor change to base the buffer length off of the incoming buffer length with a pad and allocate it off the heap.  Anyway, after fixing this my code sample runs fine.  I'm including a patch file and the sample code.

---Files--------------------------------
pack.patch (2.74 KB)
BucketTest.rb (326 Bytes)
pack.c.patch (769 Bytes)


-- 
https://bugs.ruby-lang.org/