[#71439] [Ruby trunk - Feature #11339] [PATCH] io.c: avoid kwarg parsing in C API — matz@...
Issue #11339 has been updated by Yukihiro Matsumoto.
7 messages
2015/11/11
[#71473] Re: [Ruby trunk - Feature #11339] [PATCH] io.c: avoid kwarg parsing in C API
— Eric Wong <normalperson@...>
2015/11/13
Entire series for sockets
[#71450] Ruby 2.3.0-preview1 Released — "NARUSE, Yui" <naruse@...>
Hi,
5 messages
2015/11/11
[#71617] [Ruby trunk - Feature #11664] [PATCH] introduce rb_autoload_value to replace rb_autoload — nobu@...
Issue #11664 has been updated by Nobuyoshi Nakada.
3 messages
2015/11/20
[#71721] [Ruby trunk - Feature #11741] Migrate Ruby to Git from Subversion — me@...
Issue #11741 has been updated by Jon Moss.
4 messages
2015/11/28
[ruby-core:71444] [Ruby trunk - Bug #11674] `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments
From:
hanmac@...
Date:
2015-11-11 06:57:45 UTC
List:
ruby-core #71444
Issue #11674 has been updated by Hans Mackowiak.
i wanted to see what symbols does appear:
~~~ruby
p 200.times.map { |n|
vars = n.times.map { |i| :"v#{i}" }
eval "def foo #{vars.map { |v| "#{v}: 1" } * ?,}
local_variables
end"
foo - vars
}
#=> [[], [], [], [], [], [], [], [], [], [], [], [:!], [:"\""], [:"#"], [:"$"], [:%], [:&], [:"'"], [:"("], [:")"], [:*], [:+], [:","], [:-], [:"."], [:/], [], [], [], [], [], [], [], [], [], [], [:":"], [:";"], [:<], [:"="], [:>], [:"?"], [:"@"], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [:"["], [:"\\"], [:"]"], [:^], [], [:`], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [:"{"], [:|], [:"}"], [:~], [], [:".."], [:"..."], [:+@], [:-@], [:**], [], [:<=>], [:<<], [:>>], [:<=], [:>=], [:==], [:===], [:!=], [:=~], [:!~], [:[]], [:[]=], [:"::"], [], [:"&&"], [:"||"], [:"&."], [:""], [:empty?], [:eql?], [:respond_to?], [:respond_to_missing?], [:"<IFUNC>"], [:"<CFUNC>"], [:"core#set_method_alias"], [:"core#set_variable_alias"], [:"core#undef_method"], [:"core#define_method"], [:"core#define_singleton_method"], [:"core#set_postexe"], [:"core#hash_from_ary"], [:"co
re#hash_merge_ary"], [:"core#hash_merge_ptr"], [:"core#hash_merge_kwd"], [], [], [], [:freeze], [:inspect], [:intern], [:object_id], [:const_missing], [:method_missing], [:method_added], [:singleton_method_added], [:method_removed], [:singleton_method_removed], [:method_undefined], [:singleton_method_undefined], [:length], [:size], [:gets], [:succ], [:each], [:proc], [:lambda], [:send], [:__send__], [:__attached__], [:initialize], [:initialize_copy], [:initialize_clone], [:initialize_dup], [:to_int], [:to_ary], [:to_str], [:to_sym], [:to_hash], [:to_proc], [:to_io], [:to_a], [:to_s], [:to_i], [:bt], [:bt_locations], [:call], [:mesg], [:exception], [:_], [:__autoload__], [:__classpath__], [:__tmp_classpath__], [:__classid__], [:to_f], [:dig], [:BasicObject], [:Object], [:Module]]
~~~
and because they look to well-formed to be random buffer-overflow,
it seems that they are coming from "defs/id.def"
but i don't know why
----------------------------------------
Bug #11674: `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments
https://bugs.ruby-lang.org/issues/11674#change-54812
* Author: KJ Tsanaktsidis
* Status: Open
* Priority: Normal
* Assignee: Koichi Sasada
* ruby -v: ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-darwin15]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
The following program appears to demonstrate a buffer overflow in `rb_f_local_variables`
~~~ruby
def with_kwargs_10(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:)
p local_variables
end
def with_kwargs_11(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:)
p local_variables
end
def with_kwargs_12(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:, v12:)
p local_variables
end
def with_args_11(v1,v2,v3,v4,v5,v6,v7,v8,v9,v10,v11)
p local_variables
end
with_kwargs_10(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10)
with_kwargs_11(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11)
with_kwargs_12(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11,v12:12)
with_args_11(1,2,3,4,5,6,7,8,9,10,11)
~~~
Output:
~~~
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :!]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12, :"\""]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
~~~
Expected output:
~~~
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
~~~
There appears to be a buffer overflow, because the symbol :"\"" is next in ASCII order to :!
I'm not familiar with the MRI interpreter internals; I spent a few hours trying to debug the problem but to no avail. It appears that in `vm_eval.c:2072`, `cfp->iseq->local_table_size` is 12 (in `with_kwargs_11`) even though there are only 11 kwargs and no other locals. However, that's as far as I got.
--
https://bugs.ruby-lang.org/