Bug #13075
closedString#unpack with block / String#unpack1 exposes uninitialized memory
Description
A problematic code looks like (in pack.c, pack_unpack_internal()):
case 'b':
{
VALUE bitstr;
char *t;
int bits;
long i;
if (p[-1] == '*' || len > (send - s) * 8)
len = (send - s) * 8;
bits = 0;
UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
t = RSTRING_PTR(bitstr);
for (i=0; i<len; i++) {
if (i & 7) bits >>= 1;
else bits = (unsigned char)*s++;
*t++ = (bits & 1) ? '1' : '0';
}
}
break;
UNPACK_PUSH() immediately yields the value (String#unpack with block) or returns to the caller (String#unpack1), but the content bytes are not initialized at the time.
This bug dates back to r11175 (Ruby 1.9.0).
Updated by Anonymous over 7 years ago
- Status changed from Open to Closed
Applied in changeset r57187.
pack.c: avoid returning uninitialized String
Fix unpacking with 'b', 'B', 'h' and 'H' format. Do not return an
uninitialized String to Ruby before filling the content bytes.
Fixes r11175 ("pack.c (pack_unpack): execute block if given with
unpacked value instead of creating an array", 2006-10-15).
[ruby-core:78841] [Bug #13075]
Updated by naruse (Yui NARUSE) about 7 years ago
- Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED, 2.4: REQUIRED to 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED, 2.4: DONE
ruby_2_4 r57833 merged revision(s) 57187,57234.
Updated by usa (Usaku NAKAMURA) about 7 years ago
- Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED, 2.4: DONE to 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED, 2.4: DONE
ruby_2_2 r58088 merged revision(s) 57187,57234.
Updated by nagachika (Tomoyuki Chikanaga) about 7 years ago
- Backport changed from 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED, 2.4: DONE to 2.1: REQUIRED, 2.2: DONE, 2.3: DONE, 2.4: DONE
ruby_2_3 r58171 merged revision(s) 57187,57234.