From: cremno@...
Date: 2015-05-28T14:25:49+00:00
Subject: [ruby-core:69393] [Ruby trunk - Bug #11192] [Open] capture group special variable with large index invokes UB

Issue #11192 has been reported by cremno phobia.

----------------------------------------
Bug #11192: capture group special variable with large index invokes UB
https://bugs.ruby-lang.org/issues/11192

* Author: cremno phobia
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
~~~
$ ruby --dump=parsetree -e "$9999999999"
###########################################################
## Do NOT use this node dump for any purpose other than  ##
## debug and research.  Compatibility is not guaranteed. ##
###########################################################

# @ NODE_SCOPE (line: 1)
# +- nd_tbl: (empty)
# +- nd_args:
# |   (null node)
# +- nd_body:
#     @ NODE_NTH_REF (line: 1)
#     +- nd_nth: $1410065407
~~~

The culprit is [this line](https://github.com/ruby/ruby/blob/4d059bf9f5f10f3d3088de49fc87e5555db7770d/parse.y#L7673) in `parse.y` which contains a call to `atoi()`.

A simple, non-intrusive fix could be calling a function with well-defined behavior when the resulting value can't be represented instead (such as `strtoul()`) and of course also adding a range check. But perhaps a syntax error is undesired here.



-- 
https://bugs.ruby-lang.org/