gmane.comp.lang.ruby.core

Buffer overflow in Ruby 1.8.6?

I think I have found a minor buffer overflow in string.c in Ruby 1.8.6. 
  I could very easily be wrong.  I would appreciate feedback either way.

Roughly around line 739, we have the following code:
VALUE
rb_str_cat(str, ptr, len)
     VALUE str;
     const char *ptr;
     long len;
{
     if (len < 0) {
	rb_raise(rb_eArgError, "negative string size (or size too big)");
     }
     if (FL_TEST(str, STR_ASSOC)) {
	rb_str_modify(str);
	REALLOC_N(RSTRING(str)->ptr, char, RSTRING(str)->len+len);
	memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len);
	RSTRING(str)->len += len;
	RSTRING(str)->ptr[RSTRING(str)->len] = '\0'; /* sentinel */
	return str;
     }

     return rb_str_buf_cat(str, ptr, len);
}

I believe the REALLOC_N line is incorrect.  Instead of:
REALLOC_N(RSTRING(str)->ptr, char, RSTRING(str)->len+len);
I believe it should be:
REALLOC_N(RSTRING(str)->ptr, char, RSTRING(str)->len+len+1);

(Continue reading)

headers

Yukihiro Matsumoto | 13 May 02:58

Re: Buffer overflow in Ruby 1.8.6?

Hi,

In message "Re: Buffer overflow in Ruby 1.8.6?"
    on Tue, 13 May 2008 02:23:49 +0900, Christopher Thompson <cthompson <at> nexopia.com> writes:

|I think I have found a minor buffer overflow in string.c in Ruby 1.8.6. 
|  I could very easily be wrong.  I would appreciate feedback either way.

You're right.  Thank you for the report.

							matz.