From: nobu@... Date: 2014-09-29T13:54:49+00:00 Subject: [ruby-core:65319] [ruby-trunk - Bug #10304] [Closed] File.expand_path crashes with tilde on Windows Issue #10304 has been updated by Nobuyoshi Nakada. Status changed from Assigned to Closed % Done changed from 0 to 100 Applied in changeset r47737. ---------- string.c: fix NOFREE * string.c (str_make_independent_expand): drop NOFREE flag after reallocation, static buffer is not pointed anymore. [ruby-core:65317] [Bug #10304] ---------------------------------------- Bug #10304: File.expand_path crashes with tilde on Windows https://bugs.ruby-lang.org/issues/10304#change-49138 * Author: Hiroshi Shirosaki * Status: Closed * Priority: Normal * Assignee: Nobuyoshi Nakada * Category: * Target version: * ruby -v: ruby 2.2.0dev (2014-09-29 trunk 47735) [x64-mingw32] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- `File.expand_path` crashes with user home which starts with tilde using mingw ruby. `TestFileExhaustive#test_expand_path_home` in test-all crashed. ``` $ ./miniruby -e 'File.expand_path("~aaaaaaaaaaaaaaaaaaaaaa")' -e:1: [BUG] probable buffer overflow: 22 for 16 ruby 2.2.0dev (2014-09-29 trunk 47735) [x64-mingw32] -- Control frame information ----------------------------------------------- c:0003 p:---- s:0008 e:000007 CFUNC :expand_path c:0002 p:0013 s:0004 E:0000f0 EVAL -e:1 [FINISH] c:0001 p:0000 s:0002 E:000a00 TOP [FINISH] -- Ruby level backtrace information ---------------------------------------- -e:1:in `
' -e:1:in `expand_path' -- C level backtrace information ------------------------------------------- C:\Windows\SYSTEM32\ntdll.dll(NtWaitForSingleObject+0xa) [0x00000000774212FA] C:\Windows\system32\KERNELBASE.dll(WaitForSingleObjectEx+0x9c) [0x000007FEFD9410DC] [0x000000000059FE74] [0x000000000044B91C] [0x0000000000539E83] [0x00000000005C6E0D] [0x00000000005C76A9] [0x0000000000461A9F] [0x000000000058A316] [0x0000000000597161] [0x000000000058F9CB] [0x0000000000593781] [0x000000000059C390] [0x00000000004507B1] [0x0000000000453901] [0x00000000005CDD84] [0x00000000004013D7] [0x00000000004014F8] C:\Windows\system32\kernel32.dll(BaseThreadInitThunk+0xd) [0x00000000771C59ED] -- Other runtime information ----------------------------------------------- * Loaded script: -e * Loaded features: 0 enumerator.so 1 rational.so 2 complex.so ~~~ It seems `rb_str_modify_expand()` doesn't expand string. Here is a patch. ```patch diff --git a/win32/file.c b/win32/file.c index 99c3521..549657e 100644 --- a/win32/file.c +++ b/win32/file.c @@ -290,10 +290,9 @@ append_wstr(VALUE dst, const wchar_t *ws, size_t len, UINT cp, UINT path_cp, rb_ if (cp == path_cp) { nlen = WideCharToMultiByte(cp, 0, ws, len, NULL, 0, NULL, NULL); olen = RSTRING_LEN(dst); - rb_str_modify_expand(dst, nlen); + rb_str_resize(dst, olen + nlen); WideCharToMultiByte(cp, 0, ws, len, RSTRING_PTR(dst) + olen, nlen, NULL, NULL); rb_enc_associate(dst, path_encoding); - rb_str_set_len(dst, nlen); } else { const int replaceflags = ECONV_UNDEF_REPLACE|ECONV_INVALID_REPLACE; ``` -- https://bugs.ruby-lang.org/