From: poulwann@...
Date: 2014-08-01T09:57:57+00:00
Subject: [ruby-core:64153] [ruby-trunk - Bug #10019] segmentation fault/buffer overrun in pack.c (encodes)

Issue #10019 has been updated by Poul Wann Jensen.


This crash only triggers with -D FORTIFY_SOURCE. When calling rb_str_buf_cat at the end of encodes for the situation where the len variable ends up as 4. As in the example in ["a"*(3072*3-2)].pack("m3072"). This causes 1 byte corruption of the stack, triggering __fortify_fail at the epiloque of rb_str_buf_cat and the rb_bug will never be executed in this case, unless it is compiled without FORTIFY_SOURCE.

Stack canary protection on Windows should produce the same crash I suspect, but this was tested on GCC 4.8.2.

----------------------------------------
Bug #10019: segmentation fault/buffer overrun in pack.c (encodes)
https://bugs.ruby-lang.org/issues/10019#change-48157

* Author: Will Wood
* Status: Feedback
* Priority: Normal
* Assignee: 
* Category: core
* Target version: 
* ruby -v: ruby 2.1.2p168 (2014-07-06 revision 46721) [i386-mingw32]
* Backport: 2.0.0: REQUIRED, 2.1: DONE
----------------------------------------
While working with an AWS sample I hit a segmentation fault.  The same sample works under 1.9.3.  It appeared to be coming from pack.c function encodes.  After looking at the source there's a 4K buffer allocated on the stack.  I made a minor change to base the buffer length off of the incoming buffer length with a pad and allocate it off the heap.  Anyway, after fixing this my code sample runs fine.  I'm including a patch file and the sample code.

---Files--------------------------------
pack.patch (2.74 KB)
BucketTest.rb (326 Bytes)
pack.c.patch (769 Bytes)


-- 
https://bugs.ruby-lang.org/