From: nagachika00@... Date: 2019-08-09T13:42:32+00:00 Subject: [ruby-core:94220] [Ruby master Bug#15946] Undefined behavior can occur with memcpy in String#sub! Issue #15946 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE ruby_2_6 r67739 merged revision(s) 8f51da5d41f0642d5a971e4223d1ba14643c6398. ---------------------------------------- Bug #15946: Undefined behavior can occur with memcpy in String#sub! https://bugs.ruby-lang.org/issues/15946#change-80520 * Author: luke-gru (Luke Gruber) * Status: Closed * Priority: Normal * Assignee: * Target version: * ruby -v: * Backport: 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE ---------------------------------------- Hi, I've found an overlapping memcpy in an odd situation: ```ruby s = "hello there this is a long string and cant be embedded" s2 = s.dup # create shared string pointing to s s3 = s.slice(1, 100) # create shared string pointing to s with offset s2.sub!(s3, s2) # just 1 example that exhibits the undefined behavior memcpy ``` In the c function `rb_str_sub_bang()`, I added a printf call and here's the output: ``` if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } fprintf(stderr, "p: %p, rp: %p, beg0: %ld, rlen: %ld, rp-p:%ld\n", p, rp, beg0, rlen, (long)((char*)rp-(char*)p)); /* outputs: p: 0x560a2cec8bc0, rp: 0x560a2cec8bc0, beg0: 1, rlen: 54, rp-p:0 */ memcpy(p + beg0, rp, rlen); ``` Doesn't crash on my system but possible on some systems. Thanks :) -- https://bugs.ruby-lang.org/ Unsubscribe: