New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mrb_ary_splice still has integer overflows #3413

Closed
clayton-shopify opened this Issue Jan 23, 2017 · 3 comments

Comments

Projects
None yet
3 participants
@clayton-shopify
Contributor

clayton-shopify commented Jan 23, 2017

@matz @ksss

Even after #3409 there are still integer overflows in mrb_ary_splice, as the following input demonstrates:

a = [0] * 0x40000001
a[0x40000000,0x40000000] = [1]

This crashes because head + len overflows here:

if (a->len < len || a->len < head + len) {

and also here:

value_move(a->ptr + head + argc, a->ptr + head + len, a->len - (head + len));

@matz matz closed this in 72bff29 Jan 24, 2017

@clayton-shopify

This comment has been minimized.

Show comment
Hide comment
@clayton-shopify

clayton-shopify Jan 24, 2017

Contributor

I don't think the fix is quite right, but I couldn't find a way to exploit it. Comments are in the commit.

Contributor

clayton-shopify commented Jan 24, 2017

I don't think the fix is quite right, but I couldn't find a way to exploit it. Comments are in the commit.

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Jun 17, 2017

Member

b0f918d addressed the concern.

Member

matz commented Jun 17, 2017

b0f918d addressed the concern.

@ksss

This comment has been minimized.

Show comment
Hide comment
@ksss

ksss Jun 19, 2017

Contributor

Thank you for reporting and fixing!

Contributor

ksss commented Jun 19, 2017

Thank you for reporting and fixing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment