Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segfault in mrb_str_format #3347

Closed
clayton-shopify opened this issue Dec 15, 2016 · 1 comment
Closed

Segfault in mrb_str_format #3347

clayton-shopify opened this issue Dec 15, 2016 · 1 comment

Comments

@clayton-shopify
Copy link
Contributor

The following input causes a segfault in mrb_str_format:

sprintf("%1$*c", 0)

This issue was reported by https://hackerone.com/haquaman, who suggested the following patch:

diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index 696d093..30adbb0 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -687,10 +687,10 @@ retry:
           CHECK(n);
           memcpy(buf+blen, c, n);
           blen += n;
-          FILL(' ', width-1);
+          if (width) FILL(' ', width-1);
         }
         else {
-          FILL(' ', width-1);
+          if (width) FILL(' ', width-1);
           CHECK(n);
           memcpy(buf+blen, c, n);
           blen += n;
@matz
Copy link
Member

matz commented Dec 17, 2016

CRuby causes an exceptoin for the format string.

unnumbered(1) mixed with numbered (ArgumentError)

matz added a commit that referenced this issue Dec 17, 2016
@matz
Prohibit mixture of posarg and nextarg; ref #3347
2edf15b
@matz matz closed this as completed in 4325707 Dec 17, 2016
hsbt pushed a commit to ruby/ruby that referenced this issue Dec 17, 2016
@nobu
sprintf.c: fix width underflow
0854193 
* sprintf.c (rb_str_format): fix memory corruption by width
  underflow.  mruby/mruby#3347

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57108 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
hsbt pushed a commit to ruby/ruby that referenced this issue Dec 27, 2016
@unak
merge revision(s) 57108: [Backport #13049]
1bd82de 
	sprintf.c: fix width underflow

	* sprintf.c (rb_str_format): fix memory corruption by width
  underflow.  mruby/mruby#3347

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@57219 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
hsbt pushed a commit to ruby/ruby that referenced this issue Jan 16, 2017
@nagachika
merge revision(s) 57108: [Backport #13121]
2e4b5a3 
	sprintf.c: fix width underflow

	* sprintf.c (rb_str_format): fix memory corruption by width
  underflow.  mruby/mruby#3347

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@57340 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matz @clayton-shopify