diff options
| author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-09-14 02:24:58 +0000 |
|---|---|---|
| committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-09-14 02:24:58 +0000 |
| commit | a165a066e8f976a79256188c53e0e60f11c98607 (patch) | |
| tree | 4f6b9941ba6da53062ec0c2233b6931c69cd5527 | |
| parent | 55650f714fc46441c5ad8e3d700a31b1f71c679f (diff) | |
| download | ruby-a165a066e8f976a79256188c53e0e60f11c98607.tar.gz | |
merge revision(s) ade1283ca276f7d589ffd3539fbc7b9817f682d5: [Backport #16136]
Fix a use-after-free bug by avoiding rb_str_new_frozen
`str2 = rb_str_new_frozen(str1)` seems to make str1 a shared string that
refers to str2, but str2 is not marked as STR_IS_SHARED_M nor
STR_NOFREE.
`rb_fstring(str2)` frees str2's ptr because it is not marked, and the
free'ed pointer is the same as str1's ptr.
After that, accessing str1 may cause use-after-free memory corruption.
I guess this is a bug of rb_str_new_frozen, but I'm completely unsure
what it should be; the string states and flags are not documented.
So, this is a workaround for [Bug #16136]. I confirmed that rspec of
activeadmin runs gracefully.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67803 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
| -rw-r--r-- | symbol.c | 3 | ||||
| -rw-r--r-- | version.h | 4 |
2 files changed, 4 insertions, 3 deletions
@@ -743,7 +743,8 @@ rb_str_intern(VALUE str) enc = ascii; } else { - str = rb_str_new_frozen(str); + str = rb_str_dup(str); + OBJ_FREEZE(str); } str = rb_fstring(str); type = rb_str_symname_type(str, IDSET_ATTRSET_FOR_INTERN); @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.6.5" #define RUBY_RELEASE_DATE RUBY_RELEASE_YEAR_STR"-"RUBY_RELEASE_MONTH_STR"-"RUBY_RELEASE_DAY_STR -#define RUBY_PATCHLEVEL 107 +#define RUBY_PATCHLEVEL 108 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 9 -#define RUBY_RELEASE_DAY 13 +#define RUBY_RELEASE_DAY 14 #include "ruby/version.h" |