oss-sec mailing list archives
Fwd: [ruby-core:62800] [ruby-trunk - Bug #9709] Large string causes SEGV with x64-mingw32
From: Ramon de C Valle <rdecvalle () vmware com>
Date: Tue, 27 May 2014 09:03:01 -0700 (PDT)
I believe this should have a CVE assigned. ----- Forwarded Message -----
From: nagachika00 () gmail com To: ruby-core () ruby-lang org Sent: Tuesday, May 27, 2014 12:37:27 PM Subject: [ruby-core:62800] [ruby-trunk - Bug #9709] Large string causes SEGV with x64-mingw32 Issue #9709 has been updated by Tomoyuki Chikanaga. Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: REQUIRED to 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: DONE r45534 was backported into `ruby_2_1` branch at r46187. ---------------------------------------- Bug #9709: Large string causes SEGV with x64-mingw32 https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/issues/9709%23change-46919&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=fC%2FzhFNJyEarV%2BMdJG2PYaootJ9yi7QnmdVlPDyq4R8%3D%0A&s=129fea02afb2e061f7527c15971c055ab1b9299982fd9d25fc9ac84c6eb3df8d * Author: Hiroshi Shirosaki * Status: Closed * Priority: Normal * Assignee: * Category: * Target version: * ruby -v: ruby 2.2.0dev (2014-04-07 trunk 45529) [x64-mingw32] * Backport: 1.9.3: REQUIRED, 2.0.0: DONE, 2.1: DONE ---------------------------------------- Creating large string causes SEGV with x64-mingw32 on Windows. test.rb ~~~ A = "" 1000000.times do |i| A << "a" * 100000 end ~~~ gdb backtrace of `./miniruby test.rb` ~~~ Program received signal SIGSEGV, Segmentation fault. 0x000007fefe88120b in msvcrt!memmove () from C:\Windows\system32\msvcrt.dll (gdb) bt #0 0x000007fefe88120b in msvcrt!memmove () from C:\Windows\system32\msvcrt.dll #1 0x000000000054e404 in str_buf_cat (str=str@entry=115691040, ptr=ptr@entry=0x7b510e0 'a' <repeats 200 times>..., len=len@entry=100000) at ../../../ruby/string.c:2042 #2 0x000000000054e90a in rb_enc_cr_str_buf_cat (str=str@entry=115691040, ptr=0x7b510e0 'a' <repeats 200 times>..., len=100000, ptr_encindex=<optimized out>, ptr_cr=ptr_cr@entry=1048576, ptr_cr_ret=0x22eb10, ptr_cr_ret@entry=0x22eaf0) at ../../../ruby/string.c:2164 #3 0x0000000000553c6c in rb_str_buf_append (str=115691040, str2=115660360) at ../../../ruby/string.c:2207 #4 0x0000000000553d9f in rb_str_append (str2=115660360, str=115691040) at ../../../ruby/string.c:2220 #5 rb_str_concat (str1=115691040, str2=115660360) at ../../../ruby/string.c:2256 #6 0x00000000005ac743 in vm_exec_core (th=0x768ce00, th@entry=0x0, initial=initial@entry=0) at ../../../ruby/insns.def:1824 #7 0x00000000005ad661 in vm_exec (th=0x0) at ../../../ruby/vm.c:1328 #8 0x0000000000000000 in ?? () ~~~ `capa` setting looks wrong in the following code. Here is a patch. ~~~ diff --git a/string.c b/string.c index 511374c..8abfc25 100644 --- a/string.c +++ b/string.c @@ -2029,7 +2029,7 @@ str_buf_cat(VALUE str, const char *ptr, long len) if (capa <= total) { while (total > capa) { if (capa + termlen >= LONG_MAX / 2) { - capa = (total + 4095) / 4096; + capa = LONG_MAX - termlen; break; } capa = (capa + termlen) * 2; ~~~ -- https://urldefense.proofpoint.com/v1/url?u=https://bugs.ruby-lang.org/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=bZpuVimtRQUx3xHFIlu%2BaciWn3GMzM%2FBnwDoBm5jP8U%3D%0A&m=fC%2FzhFNJyEarV%2BMdJG2PYaootJ9yi7QnmdVlPDyq4R8%3D%0A&s=b6f086bbe3874719b7d8fb1428403898f66136119f73522f325030657ca74f44
Current thread:
- Fwd: [ruby-core:62800] [ruby-trunk - Bug #9709] Large string causes SEGV with x64-mingw32 Ramon de C Valle (May 27)