Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mrb_ary_splice still has integer overflows #3413

Closed
clayton-shopify opened this issue Jan 23, 2017 · 3 comments
Closed

mrb_ary_splice still has integer overflows #3413

clayton-shopify opened this issue Jan 23, 2017 · 3 comments

Comments

@clayton-shopify
Copy link
Contributor

clayton-shopify commented Jan 23, 2017

@matz @ksss

Even after #3409 there are still integer overflows in mrb_ary_splice, as the following input demonstrates:

a = [0] * 0x40000001
a[0x40000000,0x40000000] = [1]

This crashes because head + len overflows here:

if (a->len < len || a->len < head + len) {

and also here:

value_move(a->ptr + head + argc, a->ptr + head + len, a->len - (head + len));

@matz matz closed this as completed in 72bff29 Jan 24, 2017
@clayton-shopify
Copy link
Contributor Author

clayton-shopify commented Jan 24, 2017

I don't think the fix is quite right, but I couldn't find a way to exploit it. Comments are in the commit.

@matz
Copy link
Member

matz commented Jun 17, 2017

b0f918d addressed the concern.

@ksss
Copy link
Contributor

ksss commented Jun 19, 2017

Thank you for reporting and fixing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants