[#71439] [Ruby trunk - Feature #11339] [PATCH] io.c: avoid kwarg parsing in C API — matz@...
Issue #11339 has been updated by Yukihiro Matsumoto.
7 messages
2015/11/11
[#71473] Re: [Ruby trunk - Feature #11339] [PATCH] io.c: avoid kwarg parsing in C API
— Eric Wong <normalperson@...>
2015/11/13
Entire series for sockets
[#71450] Ruby 2.3.0-preview1 Released — "NARUSE, Yui" <naruse@...>
Hi,
5 messages
2015/11/11
[#71617] [Ruby trunk - Feature #11664] [PATCH] introduce rb_autoload_value to replace rb_autoload — nobu@...
Issue #11664 has been updated by Nobuyoshi Nakada.
3 messages
2015/11/20
[#71721] [Ruby trunk - Feature #11741] Migrate Ruby to Git from Subversion — me@...
Issue #11741 has been updated by Jon Moss.
4 messages
2015/11/28
[ruby-core:71452] [Ruby trunk - Bug #11674] `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments
From:
nagachika00@...
Date:
2015-11-11 19:52:59 UTC
List:
ruby-core #71452
Issue #11674 has been updated by Tomoyuki Chikanaga.
Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: REQUIRED
----------------------------------------
Bug #11674: `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments
https://bugs.ruby-lang.org/issues/11674#change-54823
* Author: KJ Tsanaktsidis
* Status: Closed
* Priority: Normal
* Assignee: Koichi Sasada
* ruby -v: ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-darwin15]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: REQUIRED
----------------------------------------
The following program appears to demonstrate a buffer overflow in `rb_f_local_variables`
~~~ruby
def with_kwargs_10(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:)
p local_variables
end
def with_kwargs_11(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:)
p local_variables
end
def with_kwargs_12(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:, v12:)
p local_variables
end
def with_args_11(v1,v2,v3,v4,v5,v6,v7,v8,v9,v10,v11)
p local_variables
end
with_kwargs_10(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10)
with_kwargs_11(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11)
with_kwargs_12(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11,v12:12)
with_args_11(1,2,3,4,5,6,7,8,9,10,11)
~~~
Output:
~~~
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :!]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12, :"\""]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
~~~
Expected output:
~~~
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
~~~
There appears to be a buffer overflow, because the symbol :"\"" is next in ASCII order to :!
I'm not familiar with the MRI interpreter internals; I spent a few hours trying to debug the problem but to no avail. It appears that in `vm_eval.c:2072`, `cfp->iseq->local_table_size` is 12 (in `with_kwargs_11`) even though there are only 11 kwargs and no other locals. However, that's as far as I got.
--
https://bugs.ruby-lang.org/