Actions
Bug #16376
closed
Stack-buffer-overflow in renumber_by_map in regcomp.c
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.7.0dev (2019-11-11T11:19:29Z master 8b27c23b5d) [x86_64-linux]
Backport:
Tags:
Description
I found this bug in ruby regex engine. I also reported this issue to Onigmo(https://github.com/k-takata/Onigmo/issues/144).
I reported this to [email protected], but there has been no reply for more than 2 weeks. So I decide to report it here.
Environment¶
root@manh-ubuntu16:~/fuzz/fuzz_ruby# ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]
root@manh-ubuntu16:~/fuzz/fuzz_ruby# uname -a
Linux manh-ubuntu16 4.4.0-166-generic #195-Ubuntu SMP Tue Oct 1 09:35:25 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@manh-ubuntu16:~/fuzz/fuzz_ruby# lsb_release -r
Release: 16.04
Compilation¶
STRIP=echo optflags=-O0 debugflags="-ggdb3 -fsanitize=address" CC=gcc ./configure
ASAN_OPTIONS=detect_leaks=0 make -j4
ASAN_OPTIONS=detect_leaks=0 make install -j4
Reproduce¶
root@manh-ubuntu16:~/fuzz/fuzz_ruby# ASAN_OPTIONS=detect_leaks=0 ./ruby-gcc-asan/ruby -v
ruby 2.7.0dev (2019-11-11T11:19:29Z master 8b27c23b5d) [x86_64-linux]
root@manh-ubuntu16:~/fuzz/fuzz_ruby# cat test.rb
"".match /(())(?<X>)((?(90000)))/
root@manh-ubuntu16:~/fuzz/fuzz_ruby# ASAN_OPTIONS=detect_leaks=0 ./ruby-gcc-asan/ruby test.rb
ASAN:SIGSEGV
=================================================================
==14276==ERROR: AddressSanitizer: SEGV on unknown address 0x7fffb8fb9d90 (pc 0x5612578c2903 bp 0x7fffb8f61f10 sp 0x7fffb8f61ef0 T0)
#0 0x5612578c2902 in renumber_by_map /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:1963
#1 0x5612578c279a in renumber_by_map /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:1953
#2 0x5612578c2e57 in disable_noname_group_capture /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:2036
#3 0x5612578d7ade in onig_compile_ruby /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:5773
#4 0x5612578a704b in onig_new_with_source /root/fuzz/fuzz_ruby/ruby-191111/re.c:850
#5 0x5612578a71fe in make_regexp /root/fuzz/fuzz_ruby/ruby-191111/re.c:874
#6 0x5612578b27d0 in rb_reg_initialize /root/fuzz/fuzz_ruby/ruby-191111/re.c:2858
#7 0x5612578b2b28 in rb_reg_initialize_str /root/fuzz/fuzz_ruby/ruby-191111/re.c:2892
#8 0x5612578b366b in rb_reg_compile /root/fuzz/fuzz_ruby/ruby-191111/re.c:2982
#9 0x56125785d568 in rb_parser_reg_compile /root/fuzz/fuzz_ruby/ruby-191111/parse.y:12197
#10 0x56125785d4c8 in parser_reg_compile /root/fuzz/fuzz_ruby/ruby-191111/parse.y:12191
#11 0x56125785d59c in reg_compile /root/fuzz/fuzz_ruby/ruby-191111/parse.y:12207
#12 0x5612578514a9 in new_regexp /root/fuzz/fuzz_ruby/ruby-191111/parse.y:10113
#13 0x56125782abfc in ruby_yyparse /root/fuzz/fuzz_ruby/ruby-191111/parse.y:4419
#14 0x5612578338ab in yycompile0 /root/fuzz/fuzz_ruby/ruby-191111/parse.y:5942
#15 0x561257a8a470 in rb_suppress_tracing /root/fuzz/fuzz_ruby/ruby-191111/vm_trace.c:427
#16 0x56125783409c in yycompile /root/fuzz/fuzz_ruby/ruby-191111/parse.y:5991
#17 0x561257834a9a in rb_parser_compile_file_path /root/fuzz/fuzz_ruby/ruby-191111/parse.y:6130
#18 0x56125792fb0b in load_file_internal /root/fuzz/fuzz_ruby/ruby-191111/ruby.c:2034
#19 0x5612576acd68 in rb_ensure /root/fuzz/fuzz_ruby/ruby-191111/eval.c:1129
#20 0x5612579300e2 in load_file /root/fuzz/fuzz_ruby/ruby-191111/ruby.c:2153
#21 0x56125792e351 in process_options /root/fuzz/fuzz_ruby/ruby-191111/ruby.c:1793
#22 0x561257930f03 in ruby_process_options /root/fuzz/fuzz_ruby/ruby-191111/ruby.c:2384
#23 0x5612576a8365 in ruby_options /root/fuzz/fuzz_ruby/ruby-191111/eval.c:123
#24 0x5612576a26ef in main main.c:50
#25 0x7fd3cdcd682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#26 0x5612576a24e8 in _start (/root/fuzz/fuzz_ruby/ruby-gcc-asan/ruby+0xea4e8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/fuzz/fuzz_ruby/ruby-191111/regcomp.c:1963 renumber_by_map
==14276==ABORTING
root@manh-ubuntu16:~/fuzz/fuzz_ruby# ruby -v
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]
root@manh-ubuntu16:~/fuzz/fuzz_ruby# ruby test.rb
test.rb: [BUG] Segmentation fault at 0x007fffe5248000
ruby 2.3.1p112 (2016-04-26) [x86_64-linux-gnu]
-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0002 E:001f20 (none) [FINISH]
-- Machine register context ------------------------------------------------
RIP: 0x00007fa814d41214 RBP: 0x00007fffe51f01c0 RSP: 0x00007fffe51f0180
RAX: 0x0000000000015f90 RBX: 0x0000000001c75eb0 RCX: 0x0000000000000004
RDX: 0x00007fa814e086a0 RDI: 0x0000000001c75eb0 RSI: 0x00007fffe51f01c0
R8: 0x0000000000000000 R9: 0x00007fffe51f0290 R10: 0x0000000001e3fbe0
R11: 0x0000000001e3e1a6 R12: 0x00007fffe51f01c0 R13: 0x00007fffe51f0290
R14: 0x00007fffe51f0248 R15: 0x00007fffe51f0248 EFL: 0x0000000000010246
-- C level backtrace information -------------------------------------------
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814dd2fd5]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814dd320c]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814cac8c4]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d5ee8e]
/lib/x86_64-linux-gnu/libc.so.6 [0x7fa8148b34b0]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d41214]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d41145]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d4230b]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(onig_compile+0x1a7) [0x7fa814d482c7]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d3ca65]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d3ccbc]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d3f25e]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814c6b676]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d1cf02]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d1e5f0]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814dd6d8c]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(rb_parser_compile_file_path+0x7b) [0x7fa814d0f4cb]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d5d467]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(rb_ensure+0xb0) [0x7fa814cb22f0]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d5bc6f]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3 [0x7fa814d5e2db]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(ruby_process_options+0x5b) [0x7fa814d5e71b]
/usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3(ruby_options+0xb7) [0x7fa814cb3117]
ruby [0x400873]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0) [0x7fa81489e830] ../csu/libc-start.c:291
ruby(_start+0x29) [0x4008a9]
-- Other runtime information -----------------------------------------------
* Loaded script: test.rb
* Loaded features:
0 enumerator.so
1 thread.rb
2 rational.so
3 complex.so
4 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
5 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
6 /usr/lib/ruby/2.3.0/unicode_normalize.rb
7 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/rbconfig.rb
8 /usr/lib/ruby/2.3.0/rubygems/compatibility.rb
9 /usr/lib/ruby/2.3.0/rubygems/defaults.rb
10 /usr/lib/ruby/2.3.0/rubygems/deprecate.rb
11 /usr/lib/ruby/2.3.0/rubygems/errors.rb
12 /usr/lib/ruby/2.3.0/rubygems/version.rb
13 /usr/lib/ruby/2.3.0/rubygems/requirement.rb
14 /usr/lib/ruby/2.3.0/rubygems/platform.rb
15 /usr/lib/ruby/2.3.0/rubygems/basic_specification.rb
16 /usr/lib/ruby/2.3.0/rubygems/stub_specification.rb
17 /usr/lib/ruby/2.3.0/rubygems/util/list.rb
18 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
19 /usr/lib/ruby/2.3.0/uri/rfc2396_parser.rb
20 /usr/lib/ruby/2.3.0/uri/rfc3986_parser.rb
21 /usr/lib/ruby/2.3.0/uri/common.rb
22 /usr/lib/ruby/2.3.0/uri/generic.rb
23 /usr/lib/ruby/2.3.0/uri/ftp.rb
24 /usr/lib/ruby/2.3.0/uri/http.rb
25 /usr/lib/ruby/2.3.0/uri/https.rb
26 /usr/lib/ruby/2.3.0/uri/ldap.rb
27 /usr/lib/ruby/2.3.0/uri/ldaps.rb
28 /usr/lib/ruby/2.3.0/uri/mailto.rb
29 /usr/lib/ruby/2.3.0/uri.rb
30 /usr/lib/ruby/2.3.0/rubygems/specification.rb
31 /usr/lib/ruby/2.3.0/rubygems/exceptions.rb
32 /usr/lib/ruby/vendor_ruby/rubygems/defaults/operating_system.rb
33 /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_gem.rb
34 /usr/lib/ruby/2.3.0/monitor.rb
35 /usr/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb
36 /usr/lib/ruby/2.3.0/rubygems.rb
37 /usr/lib/ruby/vendor_ruby/did_you_mean/version.rb
38 /usr/lib/ruby/vendor_ruby/did_you_mean/core_ext/name_error.rb
39 /usr/lib/ruby/vendor_ruby/did_you_mean/levenshtein.rb
40 /usr/lib/ruby/vendor_ruby/did_you_mean/jaro_winkler.rb
41 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkable.rb
42 /usr/lib/ruby/2.3.0/delegate.rb
43 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
44 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
45 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/name_error_checkers.rb
46 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/method_name_checker.rb
47 /usr/lib/ruby/vendor_ruby/did_you_mean/spell_checkers/null_checker.rb
48 /usr/lib/ruby/vendor_ruby/did_you_mean/formatter.rb
49 /usr/lib/ruby/vendor_ruby/did_you_mean.rb
* Process memory map:
00400000-00401000 r-xp 00000000 08:01 5119895 /usr/bin/ruby2.3
00600000-00601000 r--p 00000000 08:01 5119895 /usr/bin/ruby2.3
00601000-00602000 rw-p 00001000 08:01 5119895 /usr/bin/ruby2.3
018bc000-01e61000 rw-p 00000000 00:00 0 [heap]
7fa812be8000-7fa812db1000 r--s 00000000 08:01 2883684 /lib/x86_64-linux-gnu/libc-2.23.so
7fa812db1000-7fa813021000 r--s 00000000 08:01 5113356 /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa813021000-7fa813037000 r-xp 00000000 08:01 2888223 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa813037000-7fa813236000 ---p 00016000 08:01 2888223 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa813236000-7fa813237000 rw-p 00015000 08:01 2888223 /lib/x86_64-linux-gnu/libgcc_s.so.1
7fa813237000-7fa81323e000 r-xp 00000000 08:01 5245635 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
7fa81323e000-7fa81343d000 ---p 00007000 08:01 5245635 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
7fa81343d000-7fa81343e000 r--p 00006000 08:01 5245635 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
7fa81343e000-7fa81343f000 rw-p 00007000 08:01 5245635 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/stringio.so
7fa81343f000-7fa813441000 r-xp 00000000 08:01 5643926 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
7fa813441000-7fa813641000 ---p 00002000 08:01 5643926 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
7fa813641000-7fa813642000 r--p 00002000 08:01 5643926 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
7fa813642000-7fa813643000 rw-p 00003000 08:01 5643926 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/trans/transdb.so
7fa813643000-7fa813645000 r-xp 00000000 08:01 5510480 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
7fa813645000-7fa813844000 ---p 00002000 08:01 5510480 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
7fa813844000-7fa813845000 r--p 00001000 08:01 5510480 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
7fa813845000-7fa813846000 rw-p 00002000 08:01 5510480 /usr/lib/x86_64-linux-gnu/ruby/2.3.0/enc/encdb.so
7fa813846000-7fa813c9c000 r--p 00000000 08:01 5113879 /usr/lib/locale/locale-archive
7fa813c9c000-7fa813da4000 r-xp 00000000 08:01 2883755 /lib/x86_64-linux-gnu/libm-2.23.so
7fa813da4000-7fa813fa3000 ---p 00108000 08:01 2883755 /lib/x86_64-linux-gnu/libm-2.23.so
7fa813fa3000-7fa813fa4000 r--p 00107000 08:01 2883755 /lib/x86_64-linux-gnu/libm-2.23.so
7fa813fa4000-7fa813fa5000 rw-p 00108000 08:01 2883755 /lib/x86_64-linux-gnu/libm-2.23.so
7fa813fa5000-7fa813fae000 r-xp 00000000 08:01 2883654 /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fa813fae000-7fa8141ad000 ---p 00009000 08:01 2883654 /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fa8141ad000-7fa8141ae000 r--p 00008000 08:01 2883654 /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fa8141ae000-7fa8141af000 rw-p 00009000 08:01 2883654 /lib/x86_64-linux-gnu/libcrypt-2.23.so
7fa8141af000-7fa8141dd000 rw-p 00000000 00:00 0
7fa8141dd000-7fa8141e0000 r-xp 00000000 08:01 2883645 /lib/x86_64-linux-gnu/libdl-2.23.so
7fa8141e0000-7fa8143df000 ---p 00003000 08:01 2883645 /lib/x86_64-linux-gnu/libdl-2.23.so
7fa8143df000-7fa8143e0000 r--p 00002000 08:01 2883645 /lib/x86_64-linux-gnu/libdl-2.23.so
7fa8143e0000-7fa8143e1000 rw-p 00003000 08:01 2883645 /lib/x86_64-linux-gnu/libdl-2.23.so
7fa8143e1000-7fa814460000 r-xp 00000000 08:01 5120767 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7fa814460000-7fa81465f000 ---p 0007f000 08:01 5120767 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7fa81465f000-7fa814660000 r--p 0007e000 08:01 5120767 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7fa814660000-7fa814661000 rw-p 0007f000 08:01 5120767 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
7fa814661000-7fa814679000 r-xp 00000000 08:01 2883647 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fa814679000-7fa814878000 ---p 00018000 08:01 2883647 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fa814878000-7fa814879000 r--p 00017000 08:01 2883647 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fa814879000-7fa81487a000 rw-p 00018000 08:01 2883647 /lib/x86_64-linux-gnu/libpthread-2.23.so
7fa81487a000-7fa81487e000 rw-p 00000000 00:00 0
7fa81487e000-7fa814a3e000 r-xp 00000000 08:01 2883684 /lib/x86_64-linux-gnu/libc-2.23.so
7fa814a3e000-7fa814c3e000 ---p 001c0000 08:01 2883684 /lib/x86_64-linux-gnu/libc-2.23.so
7fa814c3e000-7fa814c42000 r--p 001c0000 08:01 2883684 /lib/x86_64-linux-gnu/libc-2.23.so
7fa814c42000-7fa814c44000 rw-p 001c4000 08:01 2883684 /lib/x86_64-linux-gnu/libc-2.23.so
7fa814c44000-7fa814c48000 rw-p 00000000 00:00 0
7fa814c48000-7fa814eb0000 r-xp 00000000 08:01 5113356 /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa814eb0000-7fa8150b0000 ---p 00268000 08:01 5113356 /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa8150b0000-7fa8150b6000 r--p 00268000 08:01 5113356 /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa8150b6000-7fa8150b7000 rw-p 0026e000 08:01 5113356 /usr/lib/x86_64-linux-gnu/libruby-2.3.so.2.3.0
7fa8150b7000-7fa8150c7000 rw-p 00000000 00:00 0
7fa8150c7000-7fa8150ed000 r-xp 00000000 08:01 2883646 /lib/x86_64-linux-gnu/ld-2.23.so
7fa8151c2000-7fa8152c9000 rw-p 00000000 00:00 0
7fa8152e6000-7fa8152e8000 r--s 00000000 08:01 5119895 /usr/bin/ruby2.3
7fa8152e8000-7fa8152e9000 ---p 00000000 00:00 0
7fa8152e9000-7fa8152ec000 rw-p 00000000 00:00 0
7fa8152ec000-7fa8152ed000 r--p 00025000 08:01 2883646 /lib/x86_64-linux-gnu/ld-2.23.so
7fa8152ed000-7fa8152ee000 rw-p 00026000 08:01 2883646 /lib/x86_64-linux-gnu/ld-2.23.so
7fa8152ee000-7fa8152ef000 rw-p 00000000 00:00 0
7fffe49f5000-7fffe51f4000 rw-p 00000000 00:00 0 [stack]
7fffe51fc000-7fffe51fe000 r--p 00000000 00:00 0 [vvar]
7fffe51fe000-7fffe5200000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html
Aborted (core dumped)
Analysis¶
The issue happens with the latest dev version of ruby and the default ruby version in my Ubuntu.
The bug comes from (renumber_by_map in regcomp.c:1963):
case NT_ENCLOSE:
{
EncloseNode* en = NENCLOSE(node);
if (en->type == ENCLOSE_CONDITION)
en->regnum = map[en->regnum].new_val;
r = renumber_by_map(en->target, map);
}
Here en->regnum is assigned new_val from map without checking the size of map.
With the input "".match /(())(?)((?(90000)))/, map is a 5 - element array and en->regnum = 90000 => en->regnum is assigned a new_val at map[90000] => buffer-over-flow. We can control the offset of the read and control the new_val to be assigned to en->regnum.
You can modify N in "".match /(())(?)((?(N)))/ until you get a crash.
This code is trigger only if the node is ENCLOSE_CONDITION and the following conditions are matched (regcomp.c:5770) and then disable_noname_group_capture is called:
#ifdef USE_NAMED_GROUP
/* mixed use named group and no-named group */
if (scan_env.num_named > 0 &&
IS_SYNTAX_BV(scan_env.syntax, ONIG_SYN_CAPTURE_ONLY_NAMED_GROUP) &&
!ONIG_IS_OPTION_ON(reg->options, ONIG_OPTION_CAPTURE_GROUP)) {
if (scan_env.num_named != scan_env.num_mem)
r = disable_noname_group_capture(&root, reg, &scan_env);
--
Thanks & Regards,
Nguyễn Đức Mạnh
Tarantula Team, VinCSS (Vingroup)
Files
Updated by xtkoba (Tee KOBAYASHI) about 4 years ago
Though the example might be pathological, causing segfaults is not nice.
I wrote a patch to make renumber_by_map (and renumber_node_backref) check the size of the array map before accessing its element.
The behavior after the patch is applied:
$ ./miniruby -e '"".match /(())(?<X>)((?(5)))/'
-e:1: invalid backref number/name: /(())(?<X>)((?(5)))/
Updated by xtkoba (Tee KOBAYASHI) about 4 years ago
- Status changed from Open to Closed
Applied in changeset git|0846c2da457e7523819236ac7da492029b3ef73d.
Check backref number buffer overrun [Bug #16376]
Updated by nobu (Nobuyoshi Nakada) almost 4 years ago
- Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN to 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED
Updated by nagachika (Tomoyuki Chikanaga) almost 4 years ago
- Backport changed from 2.6: REQUIRED, 2.7: REQUIRED, 3.0: REQUIRED to 2.6: REQUIRED, 2.7: REQUIRED, 3.0: DONE
ruby_3_0 2aad080396f5b79a33502f1d812fb237968cb931 merged revision(s) 0846c2da457e7523819236ac7da492029b3ef73d,6c7cb00c094332a208cf36e5cd723a9ba60c41b8.
Updated by dcouture-gitlab (Dominic Couture) over 3 years ago
I know this was fixed 6 months ago but I figured it wouldn't hurt to ask: Is a 2.7 backport possible here? Thanks.
Updated by usa (Usaku NAKAMURA) about 3 years ago
- Backport changed from 2.6: REQUIRED, 2.7: REQUIRED, 3.0: DONE to 2.6: WONTFIX, 2.7: DONE, 3.0: DONE
Actions
Like0
Like0Like0Like0Like0Like0Like0