Issue #12425 has been reported by Eric Delaney.

----------------------------------------
Bug #12425: encoding string to UTF-16 is causing a segfault
https://bugs.ruby-lang.org/issues/12425

* Author: Eric Delaney
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: 2.3.0p0
* Backport: 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN
----------------------------------------
While trying to create a Yaml file in UTF-16 format for testing I found that with the attached script ruby dies with a segfault because of memory corruption/free issues on 2.3.0p0, 2.2.4p230, and 2.2.3p173. (Note it works on 2.0.0.p598).

The underlying OS was Redhat 6.7 x64

The script is attempting to build up a yaml file of valid UTF-16 characters to test a Yaml file parser's behavior processing the UTF-16 character set.

[user@user accept]$ ruby -v
ruby 2.3.0p0 (2015-12-25 revision 53290) [x86_64-linux]
[user@user accept]$ ruby test_bug.rb
test_bug.rb:24: [BUG] Segmentation fault at 0x00000000000000
ruby 2.3.0p0 (2015-12-25 revision 53290) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0005 p:---- s:0023 e:000022 CFUNC  :[]
c:0004 p:0054 s:0019 e:000018 METHOD test_bug.rb:24
c:0003 p:0066 s:0014 e:000012 METHOD test_bug.rb:38
c:0002 p:0041 s:0007 E:000318 EVAL   test_bug.rb:52 [FINISH]
c:0001 p:0000 s:0002 E:001210 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
test_bug.rb:52:in `<main>'
test_bug.rb:38:in `stream'
test_bug.rb:24:in `string'
test_bug.rb:24:in `[]'

-- Machine register context ------------------------------------------------
 RIP: 0x000000342c67886a RBP: 0x0000000000014d10 RSP: 0x00007ffc44160200
 RAX: 0x2d002d002d00fffe RBX: 0x0000000001f9a6c0 RCX: 0x00007fc2be30eadc
 RDX: 0x20002000fffe0a00 RDI: 0x000000342c98fe80 RSI: 0x0000000000000000
  R8: 0x0000000000000000  R9: 0x000000342c98fed0 R10: 0x000000342c98fed0
 R11: 0x0000000000000020 R12: 0x0000000001faf3d0 R13: 0x000000342c98fe80
 R14: 0x0000000000006a10 R15: 0x0000000000000001 EFL: 0x0000000000010202

-- C level backtrace information -------------------------------------------


-----------------------------------------------------------------------------

user@user accept]$ ruby -v
ruby 2.2.4p230 (2015-12-16 revision 53155) [x86_64-linux]
[user@user accept]$ ruby test_bug.rb
*** glibc detected *** ruby: malloc(): memory corruption: 0x000000000188ee50 ***
======= Backtrace: =========
/lib64/libc.so.6[0x342c675f4e]
/lib64/libc.so.6[0x342c67a41a]
/lib64/libc.so.6(__libc_malloc+0x5c)[0x342c67ab1c]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(+0x97ace)[0x7f5f8e669ace]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(st_init_table_with_size+0x23)[0x7f5f8e71a403]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(+0x177d24)[0x7f5f8e749d24]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(rb_econv_open+0x1b9)[0x7f5f8e74c439]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(rb_econv_open_opts+0x7d)[0x7f5f8e74e74d]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(+0x17d0cf)[0x7f5f8e74f0cf]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(+0x17d670)[0x7f5f8e74f670]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(+0x1a8a0a)[0x7f5f8e77aa0a]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(+0x1b5de5)[0x7f5f8e787de5]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(+0x1ab36b)[0x7f5f8e77d36b]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(rb_iseq_eval_main+0x221)[0x7f5f8e77de21]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(+0x764f7)[0x7f5f8e6484f7]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(ruby_exec_node+0x1d)[0x7f5f8e64854d]
/home/user/.rvm/rubies/ruby-2.2.4/lib/libruby.so.2.2(ruby_run_node+0x1e)[0x7f5f8e64b6fe]
ruby[0x4008eb]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x342c61ed5d]
ruby[0x4007d9]
======= Memory map: ========
00400000-00401000 r-xp 00000000 00:20 100631623                          /home/user/.rvm/rubies/ruby-2.2.4/bin/ruby
00600000-00601000 rw-p 00000000 00:20 100631623                          /home/user/.rvm/rubies/ruby-2.2.4/bin/ruby
01531000-019e8000 rw-p 00000000 00:00 0                                  [heap]
342c200000-342c220000 r-xp 00000000 fd:00 15728727                       /lib64/ld-2.12.so
342c41f000-342c420000 r--p 0001f000 fd:00 15728727                       /lib64/ld-2.12.so
342c420000-342c421000 rw-p 00020000 fd:00 15728727                       /lib64/ld-2.12.so
342c421000-342c422000 rw-p 00000000 00:00 0 
342c600000-342c78a000 r-xp 00000000 fd:00 15728732                       /lib64/libc-2.12.so
342c78a000-342c98a000 ---p 0018a000 fd:00 15728732                       /lib64/libc-2.12.so
342c98a000-342c98e000 r--p 0018a000 fd:00 15728732                       /lib64/libc-2.12.so
342c98e000-342c98f000 rw-p 0018e000 fd:00 15728732                       /lib64/libc-2.12.so
342c98f000-342c994000 rw-p 00000000 00:00 0 
342ca00000-342ca83000 r-xp 00000000 fd:00 15728845                       /lib64/libm-2.12.so
342ca83000-342cc82000 ---p 00083000 fd:00 15728845                       /lib64/libm-2.12.so
342cc82000-342cc83000 r--p 00082000 fd:00 15728845                       /lib64/libm-2.12.so
342cc83000-342cc84000 rw-p 00083000 fd:00 15728845                       /lib64/libm-2.12.so
342ce00000-342ce17000 r-xp 00000000 fd:00 15728741                       /lib64/libpthread-2.12.so
342ce17000-342d017000 ---p 00017000 fd:00 15728741                       /lib64/libpthread-2.12.so
342d017000-342d018000 r--p 00017000 fd:00 15728741                       /lib64/libpthread-2.12.so
342d018000-342d019000 rw-p 00018000 fd:00 15728741                       /lib64/libpthread-2.12.so
342d019000-342d01d000 rw-p 00000000 00:00 0 
342d200000-342d202000 r-xp 00000000 fd:00 15728851                       /lib64/libdl-2.12.so
342d202000-342d402000 ---p 00002000 fd:00 15728851                       /lib64/libdl-2.12.so
342d402000-342d403000 r--p 00002000 fd:00 15728851                       /lib64/libdl-2.12.so
342d403000-342d404000 rw-p 00003000 fd:00 15728851                       /lib64/libdl-2.12.so
342d600000-342d607000 r-xp 00000000 fd:00 15728757                       /lib64/librt-2.12.so
342d607000-342d806000 ---p 00007000 fd:00 15728757                       /lib64/librt-2.12.so
342d806000-342d807000 r--p 00006000 fd:00 15728757                       /lib64/librt-2.12.so
342d807000-342d808000 rw-p 00007000 fd:00 15728757                       /lib64/librt-2.12.so
3436600000-3436616000 r-xp 00000000 fd:00 15729068                       /lib64/libgcc_s-4.4.7-20120601.so.1
3436616000-3436815000 ---p 00016000 fd:00 15729068                       /lib64/libgcc_s-4.4.7-20120601.so.1
3436815000-3436816000 rw-p 00015000 fd:00 15729068                       /lib64/libgcc_s-4.4.7-20120601.so.1
3437e00000-3437e02000 r-xp 00000000 fd:00 15729095                       /lib64/libfreebl3.so
3437e02000-3438001000 ---p 00002000 fd:00 15729095                       /lib64/libfreebl3.so
3438001000-3438002000 r--p 00001000 fd:00 15729095                       /lib64/libfreebl3.so
3438002000-3438003000 rw-p 00002000 fd:00 15729095                       /lib64/libfreebl3.so
3438200000-3438207000 r-xp 00000000 fd:00 15729098                       /lib64/libcrypt-2.12.so
3438207000-3438407000 ---p 00007000 fd:00 15729098                       /lib64/libcrypt-2.12.so
3438407000-3438408000 r--p 00007000 fd:00 15729098                       /lib64/libcrypt-2.12.so
3438408000-3438409000 rw-p 00008000 fd:00 15729098                       /lib64/libcrypt-2.12.so
3438409000-3438437000 rw-p 00000000 00:00 0 
7f5f80000000-7f5f80021000 rw-p 00000000 00:00 0 
7f5f80021000-7f5f84000000 ---p 00000000 00:00 0 
7f5f87681000-7f5f87684000 r-xp 00000000 00:20 75927890                   /home/user/.rvm/rubies/ruby-2.2.4/lib/ruby/2.2.0/x86_64-linux/enc/trans/utf_16_32.so
7f5f87684000-7f5f87884000 ---p 00003000 00:20 75927890                   /home/user/.rvm/rubies/ruby-2.2.4/lib/ruby/2.2.0/x86_64-linux/enc/trans/utf_16_32.so
7f5f87884000-7f5f87885000 rw-p 00003000 00:20 75927890                   /home/user/.rvm/rubies/ruby-2.2.4/lib/ruby/2.2.0/x86_64-linux/enc/trans/utf_16_32.so
7f5f87885000-7f5f87933000 rw-p 00000000 00:00 0 
7f5f87933000-7f5f87934000 r-xp 00000000 00:20 89151330                   /home/user/.rvm/rubies/ruby-2.2.4/lib/ruby/2.2.0/x86_64-linux/enc/utf_16be.so
7f5f87934000-7f5f87b34000 ---p 00001000 00:20 89151330                   /home/user/.rvm/rubies/ruby-2.2.4/lib/ruby/2.2.0/x86_64-linux/enc/utf_16be.so
7f5f87b34000-7f5f87b35000 rw-p 00001000 00:20 89151330                   /home/user/.rvm/rubies/ruby-2.2.4/lib/ruby/2.2.0/x86_64-linux/enc/utf_16be.so
7f5f87c28000-7f5f87e5a000 rw-p 00000000 00:00 0 
7f5f87e96000-7f5f88016000 rw-p 00000000 00:00 0 
7f5f88016000-7f5f88019000 r-xp 00000000 00:20 76610004                   /home/user/.rvm/rubies/ruby-2.2.4/lib/ruby/2.2.0/x86_64-linux/thread.soAborted (core dumped)


-----------------------------------------------------------------------------
[user@user accept]$ ruby -v
ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-linux]
[user@user accept]$ ruby test_bug.rb
*** glibc detected *** ruby: free(): invalid next size (normal): 0x0000000002137e60 ***
======= Backtrace: =========
/lib64/libc.so.6[0x342c675f4e]
/lib64/libc.so.6[0x342c678cf0]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(ruby_xfree+0x3c)[0x7f1557ddad7c]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(+0x17cca8)[0x7f1557ec2ca8]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(+0x17d030)[0x7f1557ec3030]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(+0x1a841a)[0x7f1557eee41a]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(+0x1b1ec5)[0x7f1557ef7ec5]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(+0x1b74eb)[0x7f1557efd4eb]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(rb_iseq_eval_main+0x221)[0x7f1557efdf91]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(+0x76517)[0x7f1557dbc517]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(ruby_exec_node+0x1d)[0x7f1557dbc56d]
/home/user/.rvm/rubies/ruby-2.2.3/lib/libruby.so.2.2(ruby_run_node+0x1e)[0x7f1557dbf71e]
ruby[0x4008eb]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x342c61ed5d]
ruby[0x4007d9]
======= Memory map: ========
00400000-00401000 r-xp 00000000 00:20 77045396                           /home/user/.rvm/rubies/ruby-2.2.3/bin/ruby
00600000-00601000 rw-p 00000000 00:20 77045396                           /home/user/.rvm/rubies/ruby-2.2.3/bin/ruby
01d91000-02264000 rw-p 00000000 00:00 0                                  [heap]
342c200000-342c220000 r-xp 00000000 fd:00 15728727                       /lib64/ld-2.12.so
342c41f000-342c420000 r--p 0001f000 fd:00 15728727                       /lib64/ld-2.12.so
342c420000-342c421000 rw-p 00020000 fd:00 15728727                       /lib64/ld-2.12.so
342c421000-342c422000 rw-p 00000000 00:00 0 
342c600000-342c78a000 r-xp 00000000 fd:00 15728732                       /lib64/libc-2.12.so
342c78a000-342c98a000 ---p 0018a000 fd:00 15728732                       /lib64/libc-2.12.so
342c98a000-342c98e000 r--p 0018a000 fd:00 15728732                       /lib64/libc-2.12.so
342c98e000-342c98f000 rw-p 0018e000 fd:00 15728732                       /lib64/libc-2.12.so
342c98f000-342c994000 rw-p 00000000 00:00 0 
342ca00000-342ca83000 r-xp 00000000 fd:00 15728845                       /lib64/libm-2.12.so
342ca83000-342cc82000 ---p 00083000 fd:00 15728845                       /lib64/libm-2.12.so
342cc82000-342cc83000 r--p 00082000 fd:00 15728845                       /lib64/libm-2.12.so
342cc83000-342cc84000 rw-p 00083000 fd:00 15728845                       /lib64/libm-2.12.so
342ce00000-342ce17000 r-xp 00000000 fd:00 15728741                       /lib64/libpthread-2.12.so
342ce17000-342d017000 ---p 00017000 fd:00 15728741                       /lib64/libpthread-2.12.so
342d017000-342d018000 r--p 00017000 fd:00 15728741                       /lib64/libpthread-2.12.so
342d018000-342d019000 rw-p 00018000 fd:00 15728741                       /lib64/libpthread-2.12.so
342d019000-342d01d000 rw-p 00000000 00:00 0 
342d200000-342d202000 r-xp 00000000 fd:00 15728851                       /lib64/libdl-2.12.so
342d202000-342d402000 ---p 00002000 fd:00 15728851                       /lib64/libdl-2.12.so
342d402000-342d403000 r--p 00002000 fd:00 15728851                       /lib64/libdl-2.12.so
342d403000-342d404000 rw-p 00003000 fd:00 15728851                       /lib64/libdl-2.12.so
342d600000-342d607000 r-xp 00000000 fd:00 15728757                       /lib64/librt-2.12.so
342d607000-342d806000 ---p 00007000 fd:00 15728757                       /lib64/librt-2.12.so
342d806000-342d807000 r--p 00006000 fd:00 15728757                       /lib64/librt-2.12.so
342d807000-342d808000 rw-p 00007000 fd:00 15728757                       /lib64/librt-2.12.so
3436600000-3436616000 r-xp 00000000 fd:00 15729068                       /lib64/libgcc_s-4.4.7-20120601.so.1
3436616000-3436815000 ---p 00016000 fd:00 15729068                       /lib64/libgcc_s-4.4.7-20120601.so.1
3436815000-3436816000 rw-p 00015000 fd:00 15729068                       /lib64/libgcc_s-4.4.7-20120601.so.1
3437e00000-3437e02000 r-xp 00000000 fd:00 15729095                       /lib64/libfreebl3.so
3437e02000-3438001000 ---p 00002000 fd:00 15729095                       /lib64/libfreebl3.so
3438001000-3438002000 r--p 00001000 fd:00 15729095                       /lib64/libfreebl3.so
3438002000-3438003000 rw-p 00002000 fd:00 15729095                       /lib64/libfreebl3.so
3438200000-3438207000 r-xp 00000000 fd:00 15729098                       /lib64/libcrypt-2.12.so
3438207000-3438407000 ---p 00007000 fd:00 15729098                       /lib64/libcrypt-2.12.so
3438407000-3438408000 r--p 00007000 fd:00 15729098                       /lib64/libcrypt-2.12.so
3438408000-3438409000 rw-p 00008000 fd:00 15729098                       /lib64/libcrypt-2.12.so
3438409000-3438437000 rw-p 00000000 00:00 0 
7f154c000000-7f154c021000 rw-p 00000000 00:00 0 
7f154c021000-7f1550000000 ---p 00000000 00:00 0 
7f1550df1000-7f1550df4000 r-xp 00000000 00:20 91818635                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/enc/trans/utf_16_32.so
7f1550df4000-7f1550ff4000 ---p 00003000 00:20 91818635                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/enc/trans/utf_16_32.so
7f1550ff4000-7f1550ff5000 rw-p 00003000 00:20 91818635                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/enc/trans/utf_16_32.so
7f1550ff5000-7f15510a3000 rw-p 00000000 00:00 0 
7f15510a3000-7f15510a4000 r-xp 00000000 00:20 84841293                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/enc/utf_16be.so
7f15510a4000-7f15512a4000 ---p 00001000 00:20 84841293                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/enc/utf_16be.so
7f15512a4000-7f15512a5000 rw-p 00001000 00:20 84841293                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/enc/utf_16be.so
7f155139c000-7f15515ce000 rw-p 00000000 00:00 0 
7f155160a000-7f155178a000 rw-p 00000000 00:00 0 
7f155178a000-7f155178d000 r-xp 00000000 00:20 70721795                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/thread.so
7f155178d000-7f155198d000 ---p 00003000 00:20 70721795                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/thread.so
7f155198d000-7f155198e000 rw-p 00003000 00:20 70721795                   /home/user/.rvm/rubies/ruby-2.2.3/lib/ruby/2.2.0/x86_64-linux/thread.soAborted (core dumped)
[user@user accept]$ 


-----------------------------------------------------------------------------
[user@user accept]$ ruby -v
ruby 2.0.0p598 (2014-11-13 revision 48408) [x86_64-linux]
[user@user accept]$ ruby test_bug.rb
[user@user accept]$ echo "it worked"


---Files--------------------------------
test_bug.rb (1.23 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>