Bug #11192
closed
capture group special variable with large index invokes UB
Added by cremno (cremno phobia) about 9 years ago.
Updated about 9 years ago.
Description
$ ruby --dump=parsetree -e "$9999999999"
###########################################################
## Do NOT use this node dump for any purpose other than ##
## debug and research. Compatibility is not guaranteed. ##
###########################################################
# @ NODE_SCOPE (line: 1)
# +- nd_tbl: (empty)
# +- nd_args:
# | (null node)
# +- nd_body:
# @ NODE_NTH_REF (line: 1)
# +- nd_nth: $1410065407
The culprit is this line in parse.y
which contains a call to atoi()
.
A simple, non-intrusive fix could be calling a function with well-defined behavior when the resulting value can't be represented instead (such as strtoul()
) and of course also adding a range check. But perhaps a syntax error is undesired here.
- Status changed from Open to Closed
Applied in changeset r50671.
parse.y: check NTH_REF range
- compile.c (iseq_compile_each): out of range NTH_REF is always
nil.
- parse.y (parse_numvar): check overflow of NTH_REF and range.
[ruby-core:69393] [Bug #11192]
- util.c (ruby_scan_digits): make public and add length parameter.
- Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: REQUIRED, 2.2: REQUIRED
- Backport changed from 2.0.0: WONTFIX, 2.1: REQUIRED, 2.2: REQUIRED to 2.0.0: WONTFIX, 2.1: DONE, 2.2: REQUIRED
ruby_2_1 r51122 merged revision(s) 50671.
- Backport changed from 2.0.0: WONTFIX, 2.1: DONE, 2.2: REQUIRED to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
Backported into ruby_2_2
branch at r51132.
- Backport changed from 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE to 2.0.0: WONTFIX, 2.1: DONE, 2.2: REQUIRED
sorry, previous commet is a mistake.
- Backport changed from 2.0.0: WONTFIX, 2.1: DONE, 2.2: REQUIRED to 2.0.0: WONTFIX, 2.1: DONE, 2.2: DONE
Backported into ruby_2_2
at r51134.
Also available in: Atom
PDF
Like0
Like0Like0Like0Like0Like0Like0Like0