Project

General

Profile

Actions

Bug #10296

closed

SEGV from unchecked Data_Get_Struct() argument

Added by jhaberman (Josh Haberman) about 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.1.3p242 (2014-09-19 revision 47630) [x86_64-darwin13.0]
Backport:
[ruby-core:65276]

Description

I can crash all Ruby versions I tried with this program:

require 'json'
require 'zlib'
 
module JSON
  module Ext
    module Generator
      class State
        def foo
          initialize_copy(Zlib::GzipWriter.new('foo.gz'))
        end
      end
    end
  end
end
 
state = JSON::Ext::Generator::State.new.foo

Updated by normalperson (Eric Wong) about 8 years ago

Calling initialize_copy directly is probably buggy behavior and not
unique to just the json/zlib C extensions.

Other than telling users to never call initialize_copy directly, I'm not
sure what to do about it. It would be a lot of effort to fix every
existing extension out there.

Moving towards rb_data_type_t should allow CRuby to enforce this
transparently.

Maybe other folks have better ideas...

Updated by jhaberman (Josh Haberman) about 8 years ago

Yes it seems like all uses of Data_Get_Struct() should be changed to use TypedData_Get_Struct() instead, doesn't it? TypedData* seems like a strictly better interface and it can provide type checking.

There are probably other instances of this in the standard library that don't involve initialize_copy.

Updated by hsbt (Hiroshi SHIBATA) over 6 years ago

  • Description updated (diff)

It still happens with 2.1.10.

Updated by nobu (Nobuyoshi Nakada) over 6 years ago

  • Description updated (diff)
  • Status changed from Open to Closed
  • Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN to 2.1: REQUIRED

It doesn't happen with 2.2.5.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0