From: merch-redmine@...
Date: 2019-08-11T19:44:42+00:00
Subject: [ruby-dev:50833] [Ruby master Bug#9868] bigdecimal#VpAlloc causes	out-of-bounds read

Issue #9868 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Open to Closed

I think this is fixed by https://github.com/ruby/bigdecimal/commit/e738c1377108baa0c2fd03cdee0eeb1239f627b2.

----------------------------------------
Bug #9868: bigdecimal#VpAlloc causes out-of-bounds read
https://bugs.ruby-lang.org/issues/9868#change-80614

* Author: mame (Yusuke Endoh)
* Status: Closed
* Priority: Normal
* Assignee: mrkn (Kenta Murata)
* Target version: 
* ruby -v: ruby 2.2.0dev (2014-05-25 trunk 46107) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
以下のようなパッチを当てて

~~~diff
diff --git a/ext/bigdecimal/bigdecimal.c b/ext/bigdecimal/bigdecimal.c
index 44e13a4..400dda0 100644
--- a/ext/bigdecimal/bigdecimal.c
+++ b/ext/bigdecimal/bigdecimal.c
@@ -3911,6 +3911,7 @@ VpAlloc(size_t mx, const char *szVal)
     }
     /* Skip trailing spaces */
     while (--i > 0) {
+       printf("dereference psz[%lu]\n", i);
        if (ISSPACE(psz[i])) psz[i] = 0;
        else break;
     }
~~~

以下のようなコードを実行すると、

~~~
$ ./ruby -I .ext/x86_64-linux/ -I . -I lib -r bigdecimal -e 'p BigDecimal.new("#")'
dereference psz[1]
dereference psz[8]
dereference psz[2]
dereference psz[18446744073709551615]
#<BigDecimal:7f06266cb820,'0.0',9(9)>
~~~

見るからにまずそうなデリファレンスが行われていることが観察されます。
Coverity Scan が見つけてくれました。

-- 
Yusuke Endoh <mame@ruby-lang.org>



-- 
https://bugs.ruby-lang.org/