Skip to content

mrb_ary_splice still has integer overflows #3413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
clayton-shopify opened this issue Jan 23, 2017 · 3 comments
Closed

mrb_ary_splice still has integer overflows #3413

clayton-shopify opened this issue Jan 23, 2017 · 3 comments

Comments

@clayton-shopify
Copy link
Contributor

@matz @ksss

Even after #3409 there are still integer overflows in mrb_ary_splice, as the following input demonstrates:

a = [0] * 0x40000001
a[0x40000000,0x40000000] = [1]

This crashes because head + len overflows here:

mruby/src/array.c

Line 607 in 28cf7a5

if (a->len < len || a->len < head + len) {

and also here:

mruby/src/array.c

Line 650 in 28cf7a5

value_move(a->ptr + head + argc, a->ptr + head + len, a->len - (head + len));

@matz matz closed this as completed in 72bff29 Jan 24, 2017
@clayton-shopify
Copy link
Contributor Author

I don't think the fix is quite right, but I couldn't find a way to exploit it. Comments are in the commit.

@matz
Copy link
Member

matz commented Jun 17, 2017

b0f918d addressed the concern.

@ksss
Copy link
Contributor

ksss commented Jun 19, 2017

Thank you for reporting and fixing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@matz @ksss @clayton-shopify