Bug #1274: Heap Corruption in float#to_s
http://redmine.ruby-lang.org/issues/show/1274

Author: Charlie Savage
Status: Open, Priority: High
Category: core, Target version: 1.9.1
ruby -v: ruby 1.9.2dev (2009-03-12) [i386-mswin32_90]

Ruby compiled with -RCT1, VC 2008

Ruby code: -0.0.to_s

Result: Heap corruption.

Problem:

1.  util.c:3222
return nrv_alloc("0", rve, 1);

2.  util.c:3069

static char *
nrv_alloc(const char *s, char **rve, int n)
{
    char *rv, *t;

    t = rv = rv_alloc(n);
    while ((*t = *s++) != 0) t++;
    if (rve)
        *rve = t;
    return rv;
}

3. The loop writes the first byte of rv buffer to '30'.  It then writes the *second* byte to '0' causing a buffer overrun.

Fix is simple, change line 3073 to:

t = rv = rv_alloc(n+1);


----------------------------------------
http://redmine.ruby-lang.org