From: naruse@...
Date: 2017-03-12T16:51:51+00:00
Subject: [ruby-core:80067] [Ruby trunk Bug#13289] Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1

Issue #13289 has been updated by Yui NARUSE.

Backport changed from 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN to 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: DONE

ruby_2_4 r57931 merged revision(s) 57797,57799,57800.

----------------------------------------
Bug #13289: Integer overflow in str_byte_substr & rb_str_subpos when set SHARABLE_MIDDLE_SUBSTRING by 1
https://bugs.ruby-lang.org/issues/13289#change-63495

* Author: Luc Nguyen
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 2.4.0p0 (2016-12-24 revision 57164) [x86_64-linux]
* Backport: 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: DONE
----------------------------------------
Integer overflow occurs in string.c(line 2319 & 5257).
beg + len & clen/n can be controlled by user. 
Eg: 

```
 a="B"*0x400
 a[0x40,0x7fffffffffffffff] => set length of sub array to 0x7fffffffffffffff
```

This lead to access out of bound memory if:

```
#define SHARABLE_MIDDLE_SUBSTRING 1
```
PoC attached.


---Files--------------------------------
substr.rb (104 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>