Project

General

Profile

Actions

Bug #10304

closed

File.expand_path crashes with tilde on Windows

Added by h.shirosaki (Hiroshi Shirosaki) over 9 years ago. Updated over 9 years ago.

Status:
Closed
Target version:
-
ruby -v:
ruby 2.2.0dev (2014-09-29 trunk 47735) [x64-mingw32]
[ruby-core:65317]

Description

File.expand_path crashes with user home which starts with tilde using mingw ruby.

TestFileExhaustive#test_expand_path_home in test-all crashed.

$ ./miniruby -e 'File.expand_path("~aaaaaaaaaaaaaaaaaaaaaa")'
-e:1: [BUG] probable buffer overflow: 22 for 16
ruby 2.2.0dev (2014-09-29 trunk 47735) [x64-mingw32]

-- Control frame information -----------------------------------------------
c:0003 p:---- s:0008 e:000007 CFUNC  :expand_path
c:0002 p:0013 s:0004 E:0000f0 EVAL   -e:1 [FINISH]
c:0001 p:0000 s:0002 E:000a00 TOP    [FINISH]

-- Ruby level backtrace information ----------------------------------------
-e:1:in `<main>'
-e:1:in `expand_path'

-- C level backtrace information -------------------------------------------
C:\Windows\SYSTEM32\ntdll.dll(NtWaitForSingleObject+0xa) [0x00000000774212FA]
C:\Windows\system32\KERNELBASE.dll(WaitForSingleObjectEx+0x9c) [0x000007FEFD9410DC]
 [0x000000000059FE74]
 [0x000000000044B91C]
 [0x0000000000539E83]
 [0x00000000005C6E0D]
 [0x00000000005C76A9]
 [0x0000000000461A9F]
 [0x000000000058A316]
 [0x0000000000597161]
 [0x000000000058F9CB]
 [0x0000000000593781]
 [0x000000000059C390]
 [0x00000000004507B1]
 [0x0000000000453901]
 [0x00000000005CDD84]
 [0x00000000004013D7]
 [0x00000000004014F8]
C:\Windows\system32\kernel32.dll(BaseThreadInitThunk+0xd) [0x00000000771C59ED]

-- Other runtime information -----------------------------------------------

* Loaded script: -e

* Loaded features:

    0 enumerator.so
    1 rational.so
    2 complex.so

~~~

It seems `rb_str_modify_expand()` doesn't expand string.
Here is a patch.

```patch
diff --git a/win32/file.c b/win32/file.c
index 99c3521..549657e 100644
--- a/win32/file.c
+++ b/win32/file.c
@@ -290,10 +290,9 @@ append_wstr(VALUE dst, const wchar_t *ws, size_t len, UINT cp, UINT path_cp, rb_
     if (cp == path_cp) {
 	nlen = WideCharToMultiByte(cp, 0, ws, len, NULL, 0, NULL, NULL);
 	olen = RSTRING_LEN(dst);
-	rb_str_modify_expand(dst, nlen);
+	rb_str_resize(dst, olen + nlen);
 	WideCharToMultiByte(cp, 0, ws, len, RSTRING_PTR(dst) + olen, nlen, NULL, NULL);
 	rb_enc_associate(dst, path_encoding);
-	rb_str_set_len(dst, nlen);
     }
     else {
 	const int replaceflags = ECONV_UNDEF_REPLACE|ECONV_INVALID_REPLACE;

Updated by nobu (Nobuyoshi Nakada) over 9 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r47737.


string.c: fix NOFREE

  • string.c (str_make_independent_expand): drop NOFREE flag after
    reallocation, static buffer is not pointed anymore.
    [ruby-core:65317] [Bug #10304]
Actions

Also available in: Atom PDF

Like0
Like0