From: luke.gru@... Date: 2019-06-21T00:37:34+00:00 Subject: [ruby-core:93295] [Ruby trunk Bug#15946] Undefined behavior can occur with memcpy in String#sub! Issue #15946 has been reported by luke-gru (Luke Gruber). ---------------------------------------- Bug #15946: Undefined behavior can occur with memcpy in String#sub! https://bugs.ruby-lang.org/issues/15946 * Author: luke-gru (Luke Gruber) * Status: Open * Priority: Normal * Assignee: * Target version: * ruby -v: * Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN ---------------------------------------- Hi, I've found an overlapping memcpy in an odd situation: ```ruby s = "hello there this is a long string and cant be embedded" s2 = s.dup # create shared string pointing to s s3 = s.slice(1, 100) # create shared string pointing to s with offset s2.sub!(s3, s2) # just 1 example that exhibits the undefined behavior memcpy ``` In the c function `rb_str_sub_bang()`, I added a printf call and here's the output: ``` if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } fprintf(stderr, "p: %p, rp: %p, beg0: %ld, rlen: %ld, rp-p:%ld\n", p, rp, beg0, rlen, (long)((char*)rp-(char*)p)); /* outputs: p: 0x560a2cec8bc0, rp: 0x560a2cec8bc0, beg0: 1, rlen: 54, rp-p:0 */ memcpy(p + beg0, rp, rlen); ``` Doesn't crash on my system but possible on some systems. Thanks :) -- https://bugs.ruby-lang.org/ Unsubscribe: