Resize ary when Array#sort! block modifies embedded ary
In cases where rb_ary_sort_bang is called with a block and tmp is an embedded array, we need to account for the block potentially impacting the capacity of ary.
The above example can put the array into a corrupted state resulting in a heap buffer overflow and possible segfault:
ERROR: AddressSanitizer: heap-buffer-overflow on address [...] WRITE of size 560 at 0x60b0000034f0 thread T0 [...]
This commit adds a conditional to determine when the capacity of ary has been modified by the provided block. If this is the case, ensure that the capacity of ary is adjusted to handle at minimum the len of tmp.
Added by zack.ref@gmail.com (Zack Deveau) over 1 year ago
Resize ary when
Array#sort!block modifies embedded aryIn cases where
rb_ary_sort_bangis called with a block andtmp is an embedded array, we need to account for the block
potentially impacting the capacity of ary.
ex:
The above example can put the array into a corrupted state
resulting in a heap buffer overflow and possible segfault:
This commit adds a conditional to determine when the capacity
of ary has been modified by the provided block. If this is
the case, ensure that the capacity of ary is adjusted to
handle at minimum the len of tmp.