From: nagachika00@... Date: 2015-11-29T09:01:35+00:00 Subject: [ruby-core:71733] [Ruby trunk - Bug #11674] `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments Issue #11674 has been updated by Tomoyuki Chikanaga. Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: REQUIRED to 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: DONE Backported into `ruby_2_2` branch at r52787. ---------------------------------------- Bug #11674: `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments https://bugs.ruby-lang.org/issues/11674#change-55138 * Author: KJ Tsanaktsidis * Status: Closed * Priority: Normal * Assignee: Koichi Sasada * ruby -v: ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-darwin15] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: DONE ---------------------------------------- The following program appears to demonstrate a buffer overflow in `rb_f_local_variables` ~~~ruby def with_kwargs_10(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:) p local_variables end def with_kwargs_11(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:) p local_variables end def with_kwargs_12(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:, v12:) p local_variables end def with_args_11(v1,v2,v3,v4,v5,v6,v7,v8,v9,v10,v11) p local_variables end with_kwargs_10(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10) with_kwargs_11(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11) with_kwargs_12(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11,v12:12) with_args_11(1,2,3,4,5,6,7,8,9,10,11) ~~~ Output: ~~~ [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :!] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12, :"\""] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11] ~~~ Expected output: ~~~ [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11] ~~~ There appears to be a buffer overflow, because the symbol :"\"" is next in ASCII order to :! I'm not familiar with the MRI interpreter internals; I spent a few hours trying to debug the problem but to no avail. It appears that in `vm_eval.c:2072`, `cfp->iseq->local_table_size` is 12 (in `with_kwargs_11`) even though there are only 11 kwargs and no other locals. However, that's as far as I got. -- https://bugs.ruby-lang.org/