Commits on Jul 24, 2022

1. Fix possible use after free in mrb_class_find_path …

   `mrb_class_find_path` resolves a `char*` pointer to a class name string
   by calling `mrb_class_name`. It then allocates a new string with
   capacity 40 to copy that `char*` into.
   
   https://github.com/mruby/mruby/blob/e04184185ab43b94980550e850d8813a415fa438/src/variable.c#L1111-L1112
   
   `mrb_class_name` resolves the class name via `class_name_str`, which
   returns an `mrb_value` with type tag `MRB_TT_STRING` and backed by an
   `RString*`. Then `mrb_class_name` extracts the `RSTRING_PTR`:
   
   https://github.com/mruby/mruby/blob/e04184185ab43b94980550e850d8813a415fa438/src/class.c#L2133-L2134
   
   That `RString*`-backed `mrb_value` ultimately comes from `mrb_class_path`
   which resolves the string from the symbol table:
   
   https://github.com/mruby/mruby/blob/e04184185ab43b94980550e850d8813a415fa438/src/class.c#L2111
   
   The allocation of the target `str` after resolving the class name
   `mrb_value` and extracting its pointer is fragile and assumes the
   `RString*` is "static". If the `RString*` is not static, the
   interleaving of extracting the `RSTRING_PTR` followed by a subsequent
   allocation might result in the class name `mrb_value` being garbage
   collected, which will leave the extracted pointer invalid.
   
   Fix this bad interleaving by allocating the destination string first
   before taking a raw pointer to an `RString*`.

   

   lopopolo committed Jul 24, 2022
   Configuration menu

   • View commit details
   • Copy full SHA for 547d465
   • Browse repository at this point

   Copy the full SHA

   547d465 View commit details

   Browse the repository at this point in the history