Actions
Bug #10304
closed
File.expand_path crashes with tilde on Windows
Bug #10304: File.expand_path crashes with tilde on Windows
Description
File.expand_path crashes with user home which starts with tilde using mingw ruby.
TestFileExhaustive#test_expand_path_home in test-all crashed.
$ ./miniruby -e 'File.expand_path("~aaaaaaaaaaaaaaaaaaaaaa")' -e:1: [BUG] probable buffer overflow: 22 for 16 ruby 2.2.0dev (2014-09-29 trunk 47735) [x64-mingw32] -- Control frame information ----------------------------------------------- c:0003 p:---- s:0008 e:000007 CFUNC :expand_path c:0002 p:0013 s:0004 E:0000f0 EVAL -e:1 [FINISH] c:0001 p:0000 s:0002 E:000a00 TOP [FINISH] -- Ruby level backtrace information ---------------------------------------- -e:1:in `<main>' -e:1:in `expand_path' -- C level backtrace information ------------------------------------------- C:\Windows\SYSTEM32\ntdll.dll(NtWaitForSingleObject+0xa) [0x00000000774212FA] C:\Windows\system32\KERNELBASE.dll(WaitForSingleObjectEx+0x9c) [0x000007FEFD9410DC] [0x000000000059FE74] [0x000000000044B91C] [0x0000000000539E83] [0x00000000005C6E0D] [0x00000000005C76A9] [0x0000000000461A9F] [0x000000000058A316] [0x0000000000597161] [0x000000000058F9CB] [0x0000000000593781] [0x000000000059C390] [0x00000000004507B1] [0x0000000000453901] [0x00000000005CDD84] [0x00000000004013D7] [0x00000000004014F8] C:\Windows\system32\kernel32.dll(BaseThreadInitThunk+0xd) [0x00000000771C59ED] -- Other runtime information ----------------------------------------------- * Loaded script: -e * Loaded features: 0 enumerator.so 1 rational.so 2 complex.so ~~~ It seems `rb_str_modify_expand()` doesn't expand string. Here is a patch. ```patch diff --git a/win32/file.c b/win32/file.c index 99c3521..549657e 100644 --- a/win32/file.c +++ b/win32/file.c @@ -290,10 +290,9 @@ append_wstr(VALUE dst, const wchar_t *ws, size_t len, UINT cp, UINT path_cp, rb_ if (cp == path_cp) { nlen = WideCharToMultiByte(cp, 0, ws, len, NULL, 0, NULL, NULL); olen = RSTRING_LEN(dst); - rb_str_modify_expand(dst, nlen); + rb_str_resize(dst, olen + nlen); WideCharToMultiByte(cp, 0, ws, len, RSTRING_PTR(dst) + olen, nlen, NULL, NULL); rb_enc_associate(dst, path_encoding); - rb_str_set_len(dst, nlen); } else { const int replaceflags = ECONV_UNDEF_REPLACE|ECONV_INVALID_REPLACE; 
Updated by nobu (Nobuyoshi Nakada) about 11 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Applied in changeset r47737.
string.c: fix NOFREE
- string.c (str_make_independent_expand): drop NOFREE flag after
reallocation, static buffer is not pointed anymore.
[ruby-core:65317] [Bug #10304]
Actions