byroot (Jean Boussier) wrote in #note-3: > So `#update` with block isn't considered iteration, so it doesn't increase the `iterlevel` hence `#rehash` is mistakenly allowed. > ... byroot (Jean Boussier) wrote in #note-2: > ```ruby > ....cyruscyliu (Qiang Liu)
Hi, we found a heap-use-after-free caused by mutating the set. hash() returning 0 is important to create the collision and then trigger eql? ``` $flag = false $c = 0 class C def hash return 0 end def eq...cyruscyliu (Qiang Liu)
Hi, we found a heap-use-after-free in set initialization via clearing the array while it’s being iterated. Here is the PoC. ``` $a = (1..100).to_a s = Set.new($a) { |x| $a.clear } ``` Initializing a Set with an array th...cyruscyliu (Qiang Liu)
Hi, we found a heap-use-after-free of set#merge via mutating hash method. Here is the PoC. ``` class C def hash $a.clear return 0 end end $a = (1..100).to_a $a.insert(0, C.new) $b = Set.new([]) $b....cyruscyliu (Qiang Liu)
Hi, we found a heap-use-after-free of Array#hash via mutating hash method. Here is the PoC. ``` class C def hash() puts $a $a.push(*1..100000) return 0 end end c = C.new $a = [c] $a.push(*1...cyruscyliu (Qiang Liu)
Hi, we found a heap-buffer-overflow of Array#difference via mutating hash method. Here is the PoC. ``` class C def hash $a.clear return 0 end def eql?(other) return true end end $...cyruscyliu (Qiang Liu)
cyruscyliu (Qiang Liu)07:16 AM Ruby Bug #21333: heap-use-after-free caused by rehash during update