Project

General

Profile

Actions

Bug #14359

closed

IO#ungetbyte integer overflow

Added by shyouhei (Shyouhei Urabe) about 6 years ago. Updated over 5 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:84872]

Description

In Ruby's IO, a "byte" means an integer of range 0...256.
However IO#ungetbyte is the only exception.
It does not check the argument to accept liberal integers.

File.open("/dev/zero") {|f| f.ungetbyte(-1); p f.read(2) } # => "\xFF\x00"
File.open("/dev/zero") {|f| f.ungetbyte(257); p f.read(2) } # => "\x01\x00"

I see no vulnerability so just filing this as a normal bug.

Actions #1

Updated by shyouhei (Shyouhei Urabe) over 5 years ago

  • Status changed from Open to Closed

Applied in changeset trunk|r65802.


io.c: ungetbyte silently ignores upper bits

The behaviour of IO#ungetbyte has been depending on the width of
Fixnums. Fixnums should be invisible nowadays. It must be a
bug. Fix [Bug #14359]

Actions

Also available in: Atom PDF

Like0
Like0