Check argument to ObjectSpace._id2ref

Ensure that the argument is an Integer or implicitly convert to, before dereferencing as a Bignum. Addressed a regression in b99833b. Reported by u75615 at https://hackerone.com/reports/898614
ruby · Jun 16, 2020 · 26c179d · 26c179d
1 parent 19cabe8
commit 26c179d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/gc.c b/gc.c
@@ -3716,6 +3716,7 @@ id2ref(VALUE objid)
     VALUE orig;
     void *p0;
 
+    objid = rb_to_int(objid);
     if (FIXNUM_P(objid) || rb_big_size(objid) <= SIZEOF_VOIDP) {
         ptr = NUM2PTR(objid);
         if (ptr == Qtrue) return Qtrue;

diff --git a/test/ruby/test_objectspace.rb b/test/ruby/test_objectspace.rb
@@ -55,6 +55,16 @@ def test_id2ref_liveness
     EOS
   end
 
+  def test_id2ref_invalid_argument
+    msg = /no implicit conversion/
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(nil)}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(false)}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(true)}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(:a)}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref("0")}
+    assert_raise_with_message(TypeError, msg) {ObjectSpace._id2ref(Object.new)}
+  end
+
   def test_count_objects
     h = {}
     ObjectSpace.count_objects(h)