New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault in mrb_str_format #3347

Closed
clayton-shopify opened this Issue Dec 15, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@clayton-shopify
Contributor

clayton-shopify commented Dec 15, 2016

The following input causes a segfault in mrb_str_format:

sprintf("%1$*c", 0)

This issue was reported by https://hackerone.com/haquaman, who suggested the following patch:

diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index 696d093..30adbb0 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -687,10 +687,10 @@ retry:
           CHECK(n);
           memcpy(buf+blen, c, n);
           blen += n;
-          FILL(' ', width-1);
+          if (width) FILL(' ', width-1);
         }
         else {
-          FILL(' ', width-1);
+          if (width) FILL(' ', width-1);
           CHECK(n);
           memcpy(buf+blen, c, n);
           blen += n;
@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Dec 17, 2016

Member

CRuby causes an exceptoin for the format string.

unnumbered(1) mixed with numbered (ArgumentError)
Member

matz commented Dec 17, 2016

CRuby causes an exceptoin for the format string.

unnumbered(1) mixed with numbered (ArgumentError)

@matz matz closed this in 4325707 Dec 17, 2016

hsbt pushed a commit to ruby/ruby that referenced this issue Dec 17, 2016

sprintf.c: fix width underflow
* sprintf.c (rb_str_format): fix memory corruption by width
  underflow.  mruby/mruby#3347

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57108 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

hsbt pushed a commit to ruby/ruby that referenced this issue Dec 27, 2016

merge revision(s) 57108: [Backport #13049]
	sprintf.c: fix width underflow

	* sprintf.c (rb_str_format): fix memory corruption by width
  underflow.  mruby/mruby#3347

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@57219 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

hsbt pushed a commit to ruby/ruby that referenced this issue Jan 16, 2017

merge revision(s) 57108: [Backport #13121]
	sprintf.c: fix width underflow

	* sprintf.c (rb_str_format): fix memory corruption by width
  underflow.  mruby/mruby#3347

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@57340 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment