Bug #10296
closed
SEGV from unchecked Data_Get_Struct() argument
Description
I can crash all Ruby versions I tried with this program:
require 'json'
require 'zlib'
module JSON
module Ext
module Generator
class State
def foo
initialize_copy(Zlib::GzipWriter.new('foo.gz'))
end
end
end
end
end
state = JSON::Ext::Generator::State.new.foo
Updated by normalperson (Eric Wong) over 8 years ago
Calling initialize_copy directly is probably buggy behavior and not
unique to just the json/zlib C extensions.
Other than telling users to never call initialize_copy directly, I'm not
sure what to do about it. It would be a lot of effort to fix every
existing extension out there.
Moving towards rb_data_type_t should allow CRuby to enforce this
transparently.
Maybe other folks have better ideas...
Updated by jhaberman (Josh Haberman) over 8 years ago
Yes it seems like all uses of Data_Get_Struct() should be changed to use TypedData_Get_Struct() instead, doesn't it? TypedData* seems like a strictly better interface and it can provide type checking.
There are probably other instances of this in the standard library that don't involve initialize_copy.
Updated by hsbt (Hiroshi SHIBATA) about 7 years ago
- Description updated (diff)
It still happens with 2.1.10.
Updated by nobu (Nobuyoshi Nakada) about 7 years ago
- Description updated (diff)
- Status changed from Open to Closed
- Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN to 2.1: REQUIRED
It doesn't happen with 2.2.5.