Issue #15934 has been reported by alanwu (Alan Wu).

----------------------------------------
Bug #15934: String#b can lead to memory corruption
https://bugs.ruby-lang.org/issues/15934

* Author: alanwu (Alan Wu)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: trunk(801d0d9), 2.4.6, 2.5.5, 2.6.3
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
The following script triggers use-after-free on trunk(801d0d9), 2.4.6, 2.5.5
and 2.6.3. 

```ruby
a = ('j' * 24).b.b
eval('', binding, a)

p a
4.times { GC.start }
p a
```

The consequence is usually that `a` gets corrupted (it depends on what the system allocator does when it frees memory). Here is a sample output for the script:
```
$> ruby -v bad.rb
ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-darwin18]
"jjjjjjjjjjjjjjjjjjjjjjjj"
"D[D'\xFD\a\x00\xF0\x00\x00\x00\x00\x00\x00\x00\x90\x18\x00jjjjjj"
```
This is caused by the same underlying issue as #15792.  Credits to wanabe-san for using eval as a cross-version way of registering a fstring.

I have a fix for this: https://github.com/ruby/ruby/pull/2183



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>