Fix a use-after-free bug by avoiding rb_str_new_frozen

`str2 = rb_str_new_frozen(str1)` seems to make str1 a shared string that refers to str2, but str2 is not marked as STR_IS_SHARED_M nor STR_NOFREE. `rb_fstring(str2)` frees str2's ptr because it is not marked, and the free'ed pointer is the same as str1's ptr. After that, accessing str1 may cause use-after-free memory corruption. I guess this is a bug of rb_str_new_frozen, but I'm completely unsure what it should be; the string states and flags are not documented. So, this is a workaround for [Bug #16136]. I confirmed that rspec of activeadmin runs gracefully.
2019-09-06 23:18:26 +09:00 · 2019-09-06 23:18:26 +09:00 · ade1283ca2
commit ade1283ca2
parent 055b441093
1 changed files with 2 additions and 1 deletions
--- a/symbol.c
+++ b/symbol.c
@ -739,7 +739,8 @@ rb_str_intern(VALUE str)
 	enc = ascii;
    }
    else {
-	str = rb_str_new_frozen(str);
+        str = rb_str_dup(str);
+        OBJ_FREEZE(str);
    }
    str = rb_fstring(str);
    type = rb_str_symname_type(str, IDSET_ATTRSET_FOR_INTERN);