Issue #10296 has been updated by Josh Haberman.


Yes it seems like all uses of Data_Get_Struct() should be changed to use TypedData_Get_Struct() instead, doesn't it? TypedData* seems like a strictly better interface and it can provide type checking.

There are probably other instances of this in the standard library that don't involve initialize_copy.

----------------------------------------
Bug #10296: SEGV from unchecked Data_Get_Struct() argument
https://bugs.ruby-lang.org/issues/10296#change-49107

* Author: Josh Haberman
* Status: Open
* Priority: Normal
* Assignee: 
* Category: 
* Target version: 
* ruby -v: ruby 2.1.3p242 (2014-09-19 revision 47630) [x86_64-darwin13.0]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
I can crash all Ruby versions I tried with this program:

require 'json'
require 'zlib'
 
module JSON
  module Ext
    module Generator
      class State
        def foo
          initialize_copy(Zlib::GzipWriter.new('foo.gz'))
        end
      end
    end
  end
end
 
state = JSON::Ext::Generator::State.new.foo



-- 
https://bugs.ruby-lang.org/