Actions
Bug #15946
closedUndefined behavior can occur with memcpy in String#sub!
Description
Hi, I've found an overlapping memcpy in an odd situation:
s = "hello there this is a long string and cant be embedded"
s2 = s.dup # create shared string pointing to s
s3 = s.slice(1, 100) # create shared string pointing to s with offset
s2.sub!(s3, s2) # just 1 example that exhibits the undefined behavior memcpy
In the c function rb_str_sub_bang()
, I added a printf call and here's the output:
if (rlen != plen) {
memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen);
}
fprintf(stderr, "p: %p, rp: %p, beg0: %ld, rlen: %ld, rp-p:%ld\n", p, rp, beg0, rlen, (long)((char*)rp-(char*)p));
/* outputs: p: 0x560a2cec8bc0, rp: 0x560a2cec8bc0, beg0: 1, rlen: 54, rp-p:0 */
memcpy(p + beg0, rp, rlen);
Doesn't crash on my system but possible on some systems.
Thanks :)
Updated by nobu (Nobuyoshi Nakada) over 5 years ago
Thank you.
s3
doesn't seem to need to share s
.
Updated by nobu (Nobuyoshi Nakada) over 5 years ago
- Status changed from Open to Closed
Applied in changeset git|8f51da5d41f0642d5a971e4223d1ba14643c6398.
Get rid of undefined behavior
- string.c (rb_str_sub_bang): str and repl can be same.
[Bug #15946]
Updated by nobu (Nobuyoshi Nakada) over 5 years ago
- Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED
Updated by nagachika (Tomoyuki Chikanaga) over 5 years ago
- Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE
ruby_2_6 r67739 merged revision(s) 8f51da5d41f0642d5a971e4223d1ba14643c6398.
Updated by usa (Usaku NAKAMURA) over 5 years ago
- Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE
ruby_2_5 r67770 merged revision(s) 8f51da5d41f0642d5a971e4223d1ba14643c6398.
Actions
Like0
Like0Like0Like0Like0Like0