From: usa@... Date: 2019-08-26T16:17:55+00:00 Subject: [ruby-core:94579] [Ruby master Bug#15946] Undefined behavior can occur with memcpy in String#sub! Issue #15946 has been updated by usa (Usaku NAKAMURA). Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE ruby_2_5 r67770 merged revision(s) 8f51da5d41f0642d5a971e4223d1ba14643c6398. ---------------------------------------- Bug #15946: Undefined behavior can occur with memcpy in String#sub! https://bugs.ruby-lang.org/issues/15946#change-81037 * Author: luke-gru (Luke Gruber) * Status: Closed * Priority: Normal * Assignee: * Target version: * ruby -v: * Backport: 2.4: REQUIRED, 2.5: DONE, 2.6: DONE ---------------------------------------- Hi, I've found an overlapping memcpy in an odd situation: ```ruby s = "hello there this is a long string and cant be embedded" s2 = s.dup # create shared string pointing to s s3 = s.slice(1, 100) # create shared string pointing to s with offset s2.sub!(s3, s2) # just 1 example that exhibits the undefined behavior memcpy ``` In the c function `rb_str_sub_bang()`, I added a printf call and here's the output: ``` if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } fprintf(stderr, "p: %p, rp: %p, beg0: %ld, rlen: %ld, rp-p:%ld\n", p, rp, beg0, rlen, (long)((char*)rp-(char*)p)); /* outputs: p: 0x560a2cec8bc0, rp: 0x560a2cec8bc0, beg0: 1, rlen: 54, rp-p:0 */ memcpy(p + beg0, rp, rlen); ``` Doesn't crash on my system but possible on some systems. Thanks :) -- https://bugs.ruby-lang.org/ Unsubscribe: