diff options
-rw-r--r-- | string.c | 3 | ||||
-rw-r--r-- | test/ruby/test_string.rb | 6 | ||||
-rw-r--r-- | version.h | 2 |
3 files changed, 9 insertions, 2 deletions
@@ -5007,7 +5007,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) cr = cr2; } plen = end0 - beg0; - rp = RSTRING_PTR(repl); rlen = RSTRING_LEN(repl); + rlen = RSTRING_LEN(repl); len = RSTRING_LEN(str); if (rlen > plen) { RESIZE_CAPA(str, len + rlen - plen); @@ -5016,6 +5016,7 @@ rb_str_sub_bang(int argc, VALUE *argv, VALUE str) if (rlen != plen) { memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen); } + rp = RSTRING_PTR(repl); memmove(p + beg0, rp, rlen); len += rlen - plen; STR_SET_LEN(str, len); diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb index 2aed90193e..9574ed31c9 100644 --- a/test/ruby/test_string.rb +++ b/test/ruby/test_string.rb @@ -1946,6 +1946,12 @@ CODE r.taint a.sub!(/./, r) assert_predicate(a, :tainted?) + + bug16105 = '[Bug #16105] heap-use-after-free' + a = S("ABCDEFGHIJKLMNOPQRSTUVWXYZ012345678") + b = a.dup + c = a.slice(1, 100) + assert_equal("AABCDEFGHIJKLMNOPQRSTUVWXYZ012345678", b.sub!(c, b), bug16105) end def test_succ @@ -1,6 +1,6 @@ #define RUBY_VERSION "2.5.6" #define RUBY_RELEASE_DATE "2019-08-27" -#define RUBY_PATCHLEVEL 191 +#define RUBY_PATCHLEVEL 192 #define RUBY_RELEASE_YEAR 2019 #define RUBY_RELEASE_MONTH 8 |