Bug #10296
closed
SEGV from unchecked Data_Get_Struct() argument
Description
I can crash all Ruby versions I tried with this program:
require 'json'
require 'zlib'
module JSON
module Ext
module Generator
class State
def foo
initialize_copy(Zlib::GzipWriter.new('foo.gz'))
end
end
end
end
end
state = JSON::Ext::Generator::State.new.foo
Updated by normalperson (Eric Wong) over 10 years ago
Calling initialize_copy directly is probably buggy behavior and not
unique to just the json/zlib C extensions.
Other than telling users to never call initialize_copy directly, I'm not
sure what to do about it. It would be a lot of effort to fix every
existing extension out there.
Moving towards rb_data_type_t should allow CRuby to enforce this
transparently.
Maybe other folks have better ideas...
Updated by jhaberman (Josh Haberman) over 10 years ago
Yes it seems like all uses of Data_Get_Struct() should be changed to use TypedData_Get_Struct() instead, doesn't it? TypedData* seems like a strictly better interface and it can provide type checking.
There are probably other instances of this in the standard library that don't involve initialize_copy.
Updated by hsbt (Hiroshi SHIBATA) about 9 years ago
- Description updated (diff)
It still happens with 2.1.10.
Updated by nobu (Nobuyoshi Nakada) about 9 years ago
- Description updated (diff)
- Status changed from Open to Closed
- Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN to 2.1: REQUIRED
It doesn't happen with 2.2.5.