diff options
author | Alan Wu <XrXr@users.noreply.github.com> | 2019-05-12 20:22:37 -0400 |
---|---|---|
committer | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2019-06-18 12:18:13 +0900 |
commit | 9dec4e8fc3a6018261834b5ac9b9877f787b97ca (patch) | |
tree | e0a8dd295390ae966ac937590b20eefab658bd09 /template/verconf.h.tmpl | |
parent | 39a8c7142400d582ac4bb02a1804a5949f8da9bc (diff) | |
download | ruby-9dec4e8fc3a6018261834b5ac9b9877f787b97ca.tar.gz |
String#b: Don't depend on dependent string
Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.
The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to @wanabe for using eval as a cross-version way
of registering a fstring.
```ruby
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
```
- string.c (str_replace_shared_without_enc): when given a
dependent string, depend on the root of the dependent
string.
[Bug #15934]
Diffstat (limited to 'template/verconf.h.tmpl')
0 files changed, 0 insertions, 0 deletions