Project

General

Profile

Actions

Bug #10296

closed

SEGV from unchecked Data_Get_Struct() argument

Added by jhaberman (Josh Haberman) about 10 years ago. Updated over 8 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.1.3p242 (2014-09-19 revision 47630) [x86_64-darwin13.0]
Backport:
[ruby-core:65276]

Description

I can crash all Ruby versions I tried with this program:

require 'json'
require 'zlib'
 
module JSON
  module Ext
    module Generator
      class State
        def foo
          initialize_copy(Zlib::GzipWriter.new('foo.gz'))
        end
      end
    end
  end
end
 
state = JSON::Ext::Generator::State.new.foo

Updated by normalperson (Eric Wong) about 10 years ago

Calling initialize_copy directly is probably buggy behavior and not
unique to just the json/zlib C extensions.

Other than telling users to never call initialize_copy directly, I'm not
sure what to do about it. It would be a lot of effort to fix every
existing extension out there.

Moving towards rb_data_type_t should allow CRuby to enforce this
transparently.

Maybe other folks have better ideas...

Updated by jhaberman (Josh Haberman) about 10 years ago

Yes it seems like all uses of Data_Get_Struct() should be changed to use TypedData_Get_Struct() instead, doesn't it? TypedData* seems like a strictly better interface and it can provide type checking.

There are probably other instances of this in the standard library that don't involve initialize_copy.

Updated by hsbt (Hiroshi SHIBATA) over 8 years ago

  • Description updated (diff)

It still happens with 2.1.10.

Updated by nobu (Nobuyoshi Nakada) over 8 years ago

  • Description updated (diff)
  • Status changed from Open to Closed
  • Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN to 2.1: REQUIRED

It doesn't happen with 2.2.5.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0