From: nagachika00@...
Date: 2019-08-07T12:23:54+00:00
Subject: [ruby-core:94175] [Ruby master Bug#15934] String#b can lead to	memory corruption

Issue #15934 has been updated by nagachika (Tomoyuki Chikanaga).

Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67733 merged revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca.

----------------------------------------
Bug #15934: String#b can lead to memory corruption
https://bugs.ruby-lang.org/issues/15934#change-80433

* Author: alanwu (Alan Wu)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: trunk(801d0d9), 2.4.6, 2.5.5, 2.6.3
* Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE
----------------------------------------
The following script triggers use-after-free on trunk(801d0d9), 2.4.6, 2.5.5
and 2.6.3. 

```ruby
a = ('j' * 24).b.b
eval('', binding, a)

p a
4.times { GC.start }
p a
```

The consequence is usually that `a` gets corrupted (it depends on what the system allocator does when it frees memory). Here is a sample output for the script:
```
$> ruby -v bad.rb
ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18]
"jjjjjjjjjjjjjjjjjjjjjjjj"
"D[D'\xFD\a\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x90\x18\x00jjjjjj"
```
This is caused by the same underlying issue as #15792.  Credits to wanabe-san for using eval as a cross-version way of registering a fstring.

I have a fix for this: https://github.com/ruby/ruby/pull/2183



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>