[ruby-core:22852] [Bug #1274] Heap Corruption in float#to

ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed

* [ruby-core:22852] [Bug #1274] Heap Corruption in float#to_s
@ 2009-03-12  6:17 Charlie Savage
  2009-03-12 23:05 ` [ruby-core:22865] [Bug #1274](Closed) " Nobuyoshi Nakada
  0 siblings, 1 reply; 2+ messages in thread
From: Charlie Savage @ 2009-03-12  6:17 UTC (permalink / raw
  To: ruby-core

Bug #1274: Heap Corruption in float#to_s
http://redmine.ruby-lang.org/issues/show/1274

Author: Charlie Savage
Status: Open, Priority: High
Category: core, Target version: 1.9.1
ruby -v: ruby 1.9.2dev (2009-03-12) [i386-mswin32_90]

Ruby compiled with -RCT1, VC 2008

Ruby code: -0.0.to_s

Result: Heap corruption.

Problem:

1.  util.c:3222
return nrv_alloc("0", rve, 1);

2.  util.c:3069

static char *
nrv_alloc(const char *s, char **rve, int n)
{
    char *rv, *t;

    t = rv = rv_alloc(n);
    while ((*t = *s++) != 0) t++;
    if (rve)
        *rve = t;
    return rv;
}

3. The loop writes the first byte of rv buffer to '30'.  It then writes the *second* byte to '0' causing a buffer overrun.

Fix is simple, change line 3073 to:

t = rv = rv_alloc(n+1);


----------------------------------------
http://redmine.ruby-lang.org

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [ruby-core:22865] [Bug #1274](Closed) Heap Corruption in float#to_s
  2009-03-12  6:17 [ruby-core:22852] [Bug #1274] Heap Corruption in float#to_s Charlie Savage
@ 2009-03-12 23:05 ` Nobuyoshi Nakada
  0 siblings, 0 replies; 2+ messages in thread
From: Nobuyoshi Nakada @ 2009-03-12 23:05 UTC (permalink / raw
  To: ruby-core

Issue #1274 has been updated by Nobuyoshi Nakada.

Status changed from Open to Closed
% Done changed from 0 to 100

Applied in changeset r22919.
----------------------------------------
http://redmine.ruby-lang.org/issues/show/1274

----------------------------------------
http://redmine.ruby-lang.org

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2009-03-12 23:13 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-03-12  6:17 [ruby-core:22852] [Bug #1274] Heap Corruption in float#to_s Charlie Savage
2009-03-12 23:05 ` [ruby-core:22865] [Bug #1274](Closed) " Nobuyoshi Nakada

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).