Issue #15946 has been updated by nobu (Nobuyoshi Nakada).


Thank you.
`s3` doesn't seem to need to share `s`.

----------------------------------------
Bug #15946: Undefined behavior can occur with memcpy in String#sub!
https://bugs.ruby-lang.org/issues/15946#change-78770

* Author: luke-gru (Luke Gruber)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN
----------------------------------------
Hi, I've found an overlapping memcpy in an odd situation:

```ruby
s = "hello there this is a long string and cant be embedded"
s2 = s.dup # create shared string pointing to s
s3 = s.slice(1, 100) # create shared string pointing to s with offset
s2.sub!(s3, s2) # just 1 example that exhibits the undefined behavior memcpy

```

In the c function `rb_str_sub_bang()`, I added a printf call and here's the output:

```
if (rlen != plen) {
     memmove(p + beg0 + rlen, p + beg0 + plen, len - beg0 - plen);
}
fprintf(stderr, "p: %p, rp: %p, beg0: %ld, rlen: %ld, rp-p:%ld\n", p, rp, beg0, rlen, (long)((char*)rp-(char*)p));
/* outputs: p: 0x560a2cec8bc0, rp: 0x560a2cec8bc0, beg0: 1, rlen: 54, rp-p:0 */
memcpy(p + beg0, rp, rlen);
```

Doesn't crash on my system but possible on some systems.

Thanks :)



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>