Bug #12757: Wrong overflow check in rb_str_set_len() - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #12757

closed

Wrong overflow check in rb_str_set_len()

Added by rhenium (Kazuki Yamaguchi) over 7 years ago. Updated over 7 years ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

Backport:

2.1: UNKNOWN, 2.2: REQUIRED, 2.3: REQUIRED

[ruby-core:77257]

Description

string.c:

void
rb_str_set_len(VALUE str, long len)
{
    long capa;
    const int termlen = TERM_LEN(str);

    str_modifiable(str);
    if (STR_SHARED_P(str)) {
        rb_raise(rb_eRuntimeError, "can't set length of shared string");
    }
    if (len + termlen - 1 > (capa = (long)rb_str_capacity(str))) {
        rb_bug("probable buffer overflow: %ld for %ld", len, capa);
    }
    STR_SET_LEN(str, len);
    TERM_FILL(&RSTRING_PTR(str)[len], termlen);
}

The overflow check len + termlen - 1 > (capa = (long)rb_str_capacity(str)) is wrong, as the capa does not include the space for termlen. This can cause false-positive [BUG] for String with multi-byte termlen when setting the length to the number equal to the capacity.

For example, the following code that internally calls rb_str_set_len() causes the [BUG]:

str = String.new(capacity: 100, encoding: "UTF-32BE")
IO.pipe { |r, w|
  w.write("x"*100)
  r.read(100, str)
}

Actions

Copy link

Also available in: Atom PDF

Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #12757

Wrong overflow check in rb_str_set_len()

Updated by Anonymous over 7 years ago