[ruby-core:17465] Re: Ruby 1.9.0/1.8.7/1.8.6/1.8.5 new releases (Security Fix)

< ^ > P N |<>|^_>< --- | ~ ...Help

Bill Kelly wrote:
>   static VALUE
>   str_buf_cat(str, ptr, len)
>       VALUE str;
>       const char *ptr;
>       long len;
>   {
> 
>   // ...
> 
>       memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len);

 best to see it like this

    if (capa <= total) {
        while (total > capa) {
            if (capa + 1 >= LONG_MAX / 2) {
                capa = total;
                break;
            }
            capa = (capa + 1) * 2;
        }
        RESIZE_CAPA(str, capa);
    }
    memcpy(RSTRING(str)->ptr + RSTRING(str)->len, ptr, len);
 


 before RESIZE_CAPA() it has RSTRING(str)->ptr == ptr
 and apparently realloc(RSTRING(str)->ptr) (in RESIZE_CAPA)
 make ptr invalid



Guy Decoux