Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix buffer overrun in ivars when rebuilding shapes #6725

Merged
merged 1 commit into from
Nov 15, 2022
Merged

Fix buffer overrun in ivars when rebuilding shapes #6725

merged 1 commit into from
Nov 15, 2022

Conversation

peterzhu2118
Copy link
Member

In rb_shape_rebuild_shape, we need to increase the capacity when capacity == next_iv_index since the next ivar will be writing at index next_iv_index.

This bug can be reproduced when assertions are turned on and you run the following code:

class Foo
  def initialize
    @a1 = 1
    @a2 = 1
    @a3 = 1
    @a4 = 1
    @a5 = 1
    @a6 = 1
    @a7 = 1
  end

  def add_ivars
    @a8 = 1
    @a9 = 1
  end
end

class Bar < Foo
end

foo = Foo.new
foo.add_ivars
bar = Bar.new
GC.start
bar.add_ivars
bar.clone

You will get the following crash:

Assertion Failed: object.c:301:rb_obj_copy_ivar:src_num_ivs <= shape_to_set_on_dest->capacity

@peterzhu2118
Fix buffer overrun in ivars when rebuilding shapes
3107793 
In rb_shape_rebuild_shape, we need to increase the capacity when
capacity == next_iv_index since the next ivar will be writing at index
next_iv_index.

This bug can be reproduced when assertions are turned on and you run the
following code:

    class Foo
      def initialize
        @A1 = 1
        @a2 = 1
        @A3 = 1
        @a4 = 1
        @A5 = 1
        @a6 = 1
        @a7 = 1
      end

      def add_ivars
        @a8 = 1
        @a9 = 1
      end
    end

    class Bar < Foo
    end

    foo = Foo.new
    foo.add_ivars
    bar = Bar.new
    GC.start
    bar.add_ivars
    bar.clone

You will get the following crash:

    Assertion Failed: object.c:301:rb_obj_copy_ivar:src_num_ivs <= shape_to_set_on_dest->capacity
@peterzhu2118
Copy link
Member Author

cc. @jemmaissroff

@peterzhu2118 peterzhu2118 merged commit 5dcbe58 into ruby:master Nov 15, 2022
@peterzhu2118 peterzhu2118 deleted the pz-shapes-capa branch November 15, 2022 13:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tenderlove tenderlove Awaiting requested review from tenderlove

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
1 participant
@peterzhu2118