Bug #11192: capture group special variable with large index invokes UB - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #11192

closed

capture group special variable with large index invokes UB

Added by cremno (cremno phobia) almost 9 years ago. Updated almost 9 years ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

Backport:

2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE

[ruby-core:69393]

Description

$ ruby --dump=parsetree -e "$9999999999"
###########################################################
## Do NOT use this node dump for any purpose other than  ##
## debug and research.  Compatibility is not guaranteed. ##
###########################################################

# @ NODE_SCOPE (line: 1)
# +- nd_tbl: (empty)
# +- nd_args:
# |   (null node)
# +- nd_body:
#     @ NODE_NTH_REF (line: 1)
#     +- nd_nth: $1410065407

The culprit is this line in parse.y which contains a call to atoi().

A simple, non-intrusive fix could be calling a function with well-defined behavior when the resulting value can't be represented instead (such as strtoul()) and of course also adding a range check. But perhaps a syntax error is undesired here.

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by nobu (Nobuyoshi Nakada) almost 9 years ago

Status changed from Open to Closed

Applied in changeset r50671.

parse.y: check NTH_REF range

compile.c (iseq_compile_each): out of range NTH_REF is always
nil.
parse.y (parse_numvar): check overflow of NTH_REF and range.
[ruby-core:69393] [Bug #11192]
util.c (ruby_scan_digits): make public and add length parameter.

Actions

Copy link

#2 [ruby-core:69803]