Project

General

Profile

Actions

Bug #15946

closed

Undefined behavior can occur with memcpy in String#sub!

Added by luke-gru (Luke Gruber) over 5 years ago. Updated about 5 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:93295]

Description

Hi, I've found an overlapping memcpy in an odd situation:

s = "hello there this is a long string and cant be embedded"
s2 = s.dup # create shared string pointing to s
s3 = s.slice(1, 100) # create shared string pointing to s with offset
s2.sub!(s3, s2) # just 1 example that exhibits the undefined behavior memcpy

In the c function rb_str_sub_bang(), I added a printf call and here's the output:

if (rlen != plen) {
     memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen);
}
fprintf(stderr, "p: %p, rp: %p, beg0: %ld, rlen: %ld, rp-p:%ld\n", p, rp, beg0, rlen, (long)((char*)rp-(char*)p));
/* outputs: p: 0x560a2cec8bc0, rp: 0x560a2cec8bc0, beg0: 1, rlen: 54, rp-p:0 */
memcpy(p + beg0, rp, rlen);

Doesn't crash on my system but possible on some systems.

Thanks :)

Updated by nobu (Nobuyoshi Nakada) over 5 years ago

Thank you.
s3 doesn't seem to need to share s.

Actions #2

Updated by nobu (Nobuyoshi Nakada) over 5 years ago

  • Status changed from Open to Closed

Applied in changeset git|8f51da5d41f0642d5a971e4223d1ba14643c6398.


Get rid of undefined behavior

  • string.c (rb_str_sub_bang): str and repl can be same.
    [Bug #15946]
Actions #3

Updated by nobu (Nobuyoshi Nakada) over 5 years ago

  • Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED

Updated by nagachika (Tomoyuki Chikanaga) over 5 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67739 merged revision(s) 8f51da5d41f0642d5a971e4223d1ba14643c6398.

Updated by usa (Usaku NAKAMURA) about 5 years ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

ruby_2_5 r67770 merged revision(s) 8f51da5d41f0642d5a971e4223d1ba14643c6398.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0