Issue #10019 has been updated by Tomas Hoger.


This seems to be getting off-topic, so just few quick notes:

* It seems -fstack-protector* (SSP) is what is referred to in the previous comment, not FORTIFY_SOURCE.
* If there is encodes()'s buff[] overflow, it corrupts encodes()'s SSP cookie, that is only checked on exit from encodes().  rb_str_buf_cat() called from encodes() after overflow does not matter, as it may or may not have it's own SSP cookie, that is checked at its exit, and that's not corrupted by buff[] overflow.  So the check leading to rb_bug() is still expected to happen, as the corrupted SSP cookie is only checked later.
* The first byte of the SSP cookie is expected to be '\0' on e.g. recent Linux systems (https://sourceware.org/bugzilla/show_bug.cgi?id=10149).  Hence off-by-one overflow with '\0' would not be detected.

----------------------------------------
Bug #10019: segmentation fault/buffer overrun in pack.c (encodes)
https://bugs.ruby-lang.org/issues/10019#change-48187

* Author: Will Wood
* Status: Feedback
* Priority: Normal
* Assignee: 
* Category: core
* Target version: 
* ruby -v: ruby 2.1.2p168 (2014-07-06 revision 46721) [i386-mingw32]
* Backport: 2.0.0: REQUIRED, 2.1: DONE
----------------------------------------
While working with an AWS sample I hit a segmentation fault.  The same sample works under 1.9.3.  It appeared to be coming from pack.c function encodes.  After looking at the source there's a 4K buffer allocated on the stack.  I made a minor change to base the buffer length off of the incoming buffer length with a pad and allocate it off the heap.  Anyway, after fixing this my code sample runs fine.  I'm including a patch file and the sample code.

---Files--------------------------------
pack.patch (2.74 KB)
BucketTest.rb (326 Bytes)
pack.c.patch (769 Bytes)


-- 
https://bugs.ruby-lang.org/