Project

General

Profile

Bug #15946

Undefined behavior can occur with memcpy in String#sub!

Added by luke-gru (Luke Gruber) over 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:93295]

Description

Hi, I've found an overlapping memcpy in an odd situation:

s = "hello there this is a long string and cant be embedded"
s2 = s.dup # create shared string pointing to s
s3 = s.slice(1, 100) # create shared string pointing to s with offset
s2.sub!(s3, s2) # just 1 example that exhibits the undefined behavior memcpy

In the c function rb_str_sub_bang(), I added a printf call and here's the output:

if (rlen != plen) {
     memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen);
}
fprintf(stderr, "p: %p, rp: %p, beg0: %ld, rlen: %ld, rp-p:%ld\n", p, rp, beg0, rlen, (long)((char*)rp-(char*)p));
/* outputs: p: 0x560a2cec8bc0, rp: 0x560a2cec8bc0, beg0: 1, rlen: 54, rp-p:0 */
memcpy(p + beg0, rp, rlen);

Doesn't crash on my system but possible on some systems.

Thanks :)

Updated by nobu (Nobuyoshi Nakada) over 1 year ago

Thank you.
s3 doesn't seem to need to share s.

#2

Updated by nobu (Nobuyoshi Nakada) over 1 year ago

  • Status changed from Open to Closed

Applied in changeset git|8f51da5d41f0642d5a971e4223d1ba14643c6398.


Get rid of undefined behavior

  • string.c (rb_str_sub_bang): str and repl can be same. [Bug #15946]
#3

Updated by nobu (Nobuyoshi Nakada) over 1 year ago

  • Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED

Updated by nagachika (Tomoyuki Chikanaga) about 1 year ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67739 merged revision(s) 8f51da5d41f0642d5a971e4223d1ba14643c6398.

Updated by usa (Usaku NAKAMURA) about 1 year ago

  • Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

ruby_2_5 r67770 merged revision(s) 8f51da5d41f0642d5a971e4223d1ba14643c6398.

Also available in: Atom PDF