From: usa@...
Date: 2017-03-25T15:16:08+00:00
Subject: [ruby-core:80322] [Ruby trunk Bug#13075] String#unpack with block / String#unpack1 exposes uninitialized memory

Issue #13075 has been updated by usa (Usaku NAKAMURA).

Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED, 2.4: DONE to 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED, 2.4: DONE

ruby_2_2 r58088 merged revision(s) 57187,57234.

----------------------------------------
Bug #13075: String#unpack with block / String#unpack1 exposes uninitialized memory
https://bugs.ruby-lang.org/issues/13075#change-63796

* Author: rhenium (Kazuki Yamaguchi)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED, 2.4: DONE
----------------------------------------
A problematic code looks like (in pack.c, pack_unpack_internal()):

~~~c
          case 'b':
            {
                VALUE bitstr;
                char *t;
                int bits;
                long i;

                if (p[-1] == '*' || len > (send - s) * 8)
                    len = (send - s) * 8;
                bits = 0;
                UNPACK_PUSH(bitstr = rb_usascii_str_new(0, len));
                t = RSTRING_PTR(bitstr);
                for (i=0; i<len; i++) {
                    if (i & 7) bits >>= 1;
                    else bits = (unsigned char)*s++;
                    *t++ = (bits & 1) ? '1' : '0';
                }
            }
            break;
~~~

UNPACK_PUSH() immediately yields the value (String#unpack with block) or returns to the caller (String#unpack1), but the content bytes are not initialized at the time.

This bug dates back to r11175 (Ruby 1.9.0).



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>