-
nagachika authored
Fix a use-after-free bug by avoiding rb_str_new_frozen `str2 = rb_str_new_frozen(str1)` seems to make str1 a shared string that refers to str2, but str2 is not marked as STR_IS_SHARED_M nor STR_NOFREE. `rb_fstring(str2)` frees str2's ptr because it is not marked, and the free'ed pointer is the same as str1's ptr. After that, accessing str1 may cause use-after-free memory corruption. I guess this is a bug of rb_str_new_frozen, but I'm completely unsure what it should be; the string states and flags are not documented. So, this is a workaround for [Bug #16136]. I confirmed that rspec of activeadmin runs gracefully. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67803 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
nagachika authoredFix a use-after-free bug by avoiding rb_str_new_frozen `str2 = rb_str_new_frozen(str1)` seems to make str1 a shared string that refers to str2, but str2 is not marked as STR_IS_SHARED_M nor STR_NOFREE. `rb_fstring(str2)` frees str2's ptr because it is not marked, and the free'ed pointer is the same as str1's ptr. After that, accessing str1 may cause use-after-free memory corruption. I guess this is a bug of rb_str_new_frozen, but I'm completely unsure what it should be; the string states and flags are not documented. So, this is a workaround for [Bug #16136]. I confirmed that rspec of activeadmin runs gracefully. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67803 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Loading