Project

General

Profile

Bug #2383

Updated by jeremyevans0 (Jeremy Evans) over 4 years ago

=begin 
  
  In win32.c, in rb_w32_getenv, the code calls FreeEnvironmentStrings(envarea). By doing this, it invalidates memory that's currently in use. 
 
  see env_fetch in hash.c: 
 
  ... 
      env = getenv(nam); 
  ... 
      if (ENVMATCH(nam, PATH_ENV) && !rb_env_path_tainted()) 
 	 return rb_str_new2(env); 
 
  and in rb_env_path_tainted: 
 
      if (path_tainted < 0) { 
 	 path_tainted_p(getenv(PATH_ENV)); 
      } 
 
  the getenv call in rb_env_path_tainted frees envarea, but there's still an outstanding reference to memory in envarea: env, from env_fetch. Then we try to create a new string from env and dereference freed memory. 
 
  The repro is very simple: 
 
  print "#{ENV["path"]}\n" 
 
  run this under the debugger with pageheap on. 
 
 =end 
 

Back