From: lucnguyen3090@...
Date: 2017-03-07T06:02:45+00:00
Subject: [ruby-core:79951] [Ruby trunk Bug#13289] Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1

Issue #13289 has been reported by Luc Nguyen.

----------------------------------------
Bug #13289: Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1
https://bugs.ruby-lang.org/issues/13289

* Author: Luc Nguyen
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 2.4.0p0 (2016-12-24 revision 57164) [x86_64-linux]
* Backport: 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
Integer overflow occurs in string.c(line 2319 & 5257).
beg + len & clen/n can be controlled by user. 
Eg: 

```
 a="B"*0x400
 a[0x40,0x7fffffffffffffff] => set length of sub array to 0x7fffffffffffffff
```

This lead to access out of bound memory if:

```
#define SHARABLE_MIDDLE_SUBSTRING 1
```
PoC attached.


---Files--------------------------------
substr.rb (104 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>