From: usa@...
Date: 2015-06-30T04:15:37+00:00
Subject: [ruby-core:69803] [Ruby trunk - Bug #11192] capture group special variable with large index invokes UB

Issue #11192 has been updated by Usaku NAKAMURA.

Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN to 2.0.0: WONTFIX, 2.1: REQUIRED, 2.2: REQUIRED

----------------------------------------
Bug #11192: capture group special variable with large index invokes UB
https://bugs.ruby-lang.org/issues/11192#change-53198

* Author: cremno phobia
* Status: Closed
* Priority: Normal
* Assignee: 
* ruby -v: 
* Backport: 2.0.0: WONTFIX, 2.1: REQUIRED, 2.2: REQUIRED
----------------------------------------
~~~
$ ruby --dump=parsetree -e "$9999999999"
###########################################################
## Do NOT use this node dump for any purpose other than  ##
## debug and research.  Compatibility is not guaranteed. ##
###########################################################

# @ NODE_SCOPE (line: 1)
# +- nd_tbl: (empty)
# +- nd_args:
# |   (null node)
# +- nd_body:
#     @ NODE_NTH_REF (line: 1)
#     +- nd_nth: $1410065407
~~~

The culprit is [this line](https://github.com/ruby/ruby/blob/4d059bf9f5f10f3d3088de49fc87e5555db7770d/parse.y#L7673) in `parse.y` which contains a call to `atoi()`.

A simple, non-intrusive fix could be calling a function with well-defined behavior when the resulting value can't be represented instead (such as `strtoul()`) and of course also adding a range check. But perhaps a syntax error is undesired here.



-- 
https://bugs.ruby-lang.org/