From: Eric Wong <normalperson@...>
Date: 2015-06-25T08:22:23+00:00
Subject: [ruby-core:69737] Re: [Ruby trunk - Bug #11306] [Open] Segmentation fault

dsaronin@gmail.com wrote:
> static VALUE cups_get_device_uri(VALUE self, VALUE printer)
> {
>    if (!printer_exists(printer))
>    {
>      rb_raise(rb_eRuntimeError, "The printer or destination doesn't exist!");
>    }
> 
>    VALUE options_list;
>    http_t *http;
>    ipp_t *request;
>    ipp_t *response;
>    ipp_attribute_t *attr;
>    char uri[1024];
>    char *location;
>    char *name = RSTRING_PTR(printer);

You want to use StringValueCStr or StringValuePtr when you see
untrusted user-input instead of RSTRING_PTR.  RSTRING_PTR will segfault
if the user calls a function with a non-String.

>    request = ippNewRequest(IPP_GET_PRINTER_ATTRIBUTES);
>    httpAssembleURIf(HTTP_URI_CODING_ALL, uri, sizeof(uri), "ipp", NULL, "localhost", 0, "/printers/%s", name);

You also need to add a GC guard for VALUE where you got `name' from
after the last use of `name' in your function:

     RB_GC_GUARD(printer);

Nowadays with better optimizing compilers, the `volatile' type qualifier
for args in the StringValue* family functions is insufficient to protect
VALUEs from inadvertant GC.  RB_GC_GUARD must be used.

See doc/extension.rdoc in the latest Ruby trunk or README.EXT in the
2.2 source tarball for more info on these APIs

And feel free to ask for clarification here on the ruby-core ML.

> cups.c (14.2 KB)

Lots of similar problems in cups.c  too.  The same pattern
described above needs to happen with
RSTRING_PTR => StringValueCStr/StringValuePtr and the addition of
RB_GC_GUARD calls after the last access to the underlying pointer.

There may be other problems in the code, too, but these are the ones
that jumped out to my tired, sleepy eyes...