New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use after free in str_replace #3374

Closed
clayton-shopify opened this Issue Jan 5, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Jan 5, 2017

The following input demonstrates a use after free bug in str_replace which occurs if the string is replaced with itself:

a = "A"*50
a.replace(a)
b = "B"*50
puts a

This code prints BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB when it should print AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.

This happens because the string buffer is freed here:

mrb_free(mrb, s1->as.heap.ptr);

It is then copied here, after which it can continue to be used:

s1->as.heap.ptr = s2->as.heap.ptr;

This issue was reported by https://hackerone.com/tunz

@matz matz closed this in e1ff710 Jan 11, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment