Bug #22125: IO::Buffer triggers use-after-free when it's freed/resized during enumeration - Ruby - Ruby Issue Tracking System

Actions

Copy link

Bug #22125

open

IO::Buffer triggers use-after-free when it's freed/resized during enumeration

Bug #22125: IO::Buffer triggers use-after-free when it's freed/resized during enumeration

Added by hanazuki (Kasumi Hanazuki) 3 days ago. Updated 2 days ago.

Status:

Open

Assignee:

Target version:

ruby -v:

ruby 4.1.0dev (2026-06-23T09:56:24Z master 55945e5c98) +PRISM [x86_64-linux]

Backport:

3.3: UNKNOWN, 3.4: UNKNOWN, 4.0: UNKNOWN

[ruby-core:125811]

Description

The block passed to IO::Buffer#each can free or resize the receiver (or its parent buffer when the reciver is a slice), which invalidates the memory region being iterated. The next iteration causes use-after-free.

repro:

./miniruby -ve 'b=IO::Buffer.for("ruby"*10).dup; b.each {|_, v| p v; b.free }'
./miniruby -ve 'b=IO::Buffer.for("ruby"*10).dup; b.each {|_, v| p v; b.resize(20) }'
./miniruby -ve 'b=IO::Buffer.for("ruby"*10).dup; b1=b.slice; b1.each {|_, v| p v; b.free }'

# No use-after-free but I think those should be errors too
./miniruby -ve 'b=IO::Buffer.for("ruby"*10).dup; b1=b.slice; b1.each {|_, v| p v; b1.free }'
./miniruby -ve 'b=IO::Buffer.for("ruby"*10).dup; b.each {|_, v| p v; b.transfer }'

same for #each_byte.

Actions

Copy link

Also available in: PDF Atom

Project

General

Profile

Ruby

Custom queries

Bug #22125

IO::Buffer triggers use-after-free when it's freed/resized during enumeration

Updated by kou (Kouhei Sutou) 2 days ago 1Actions
Copy link
#1 [ruby-core:125824]

Project

General

Profile

Ruby

Custom queries

Bug #22125

IO::Buffer triggers use-after-free when it's freed/resized during enumeration

Updated by kou (Kouhei Sutou) 2 days ago 1ActionsCopy link #1 [ruby-core:125824]

Updated by kou (Kouhei Sutou) 2 days ago 1Actions
Copy link
#1 [ruby-core:125824]