We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The following input demonstrates a use after free bug in str_replace which occurs if the string is replaced with itself:
a = "A"*50 a.replace(a) b = "B"*50 puts a
This code prints BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB when it should print AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
This happens because the string buffer is freed here:
mruby/src/string.c
Line 523 in 5e3077c
It is then copied here, after which it can continue to be used:
Line 531 in 5e3077c
This issue was reported by https://hackerone.com/tunz
The text was updated successfully, but these errors were encountered:
e1ff710
No branches or pull requests
The following input demonstrates a use after free bug in str_replace which occurs if the string is replaced with itself:
This code prints
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
when it should printAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
.This happens because the string buffer is freed here:
mruby/src/string.c
Line 523 in 5e3077c
It is then copied here, after which it can continue to be used:
mruby/src/string.c
Line 531 in 5e3077c
This issue was reported by https://hackerone.com/tunz
The text was updated successfully, but these errors were encountered: