Fixed memory disclosure in String#lines

Reported from from Alex Snaps via Mathieu Leduc-Hamel, both from shopify.com. Thank you!
author: Yukihiro "Matz" Matsumoto <[email protected]> 2016-11-16 02:05:19 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2016-11-16 02:05:19 +0900
commit: 242b21947102d98aba2fa3db2725b129ca547f20 (patch)
tree: 96fa94222bafebda764aeeca4a26219ef193e08e /mrbgems/mruby-string-ext/src/string.c
parent: 92f72c749006407db4fa4a4faf123bde4a3043e4 (diff)
download: mruby-242b21947102d98aba2fa3db2725b129ca547f20.tar.gz
mruby-242b21947102d98aba2fa3db2725b129ca547f20.zip
1 files changed, 9 insertions, 2 deletions
diff --git a/mrbgems/mruby-string-ext/src/string.c b/mrbgems/mruby-string-ext/src/string.c
index 2a52d53b3..122ee5454 100644
--- a/mrbgems/mruby-string-ext/src/string.c
+++ b/mrbgems/mruby-string-ext/src/string.c
@@ -307,8 +307,9 @@ mrb_str_lines(mrb_state *mrb, mrb_value self)
   int ai;
   mrb_int len;
   mrb_value arg;
-  char *p = RSTRING_PTR(self), *t;
-  char *e = p + RSTRING_LEN(self);
+  char *b = RSTRING_PTR(self);
+  char *p = b, *t;
+  char *e = b + RSTRING_LEN(self);
 
   mrb_get_args(mrb, "&", &blk);
 
@@ -322,6 +323,12 @@ mrb_str_lines(mrb_state *mrb, mrb_value self)
       len = (mrb_int) (p - t);
       arg = mrb_str_new(mrb, t, len);
       mrb_yield_argv(mrb, blk, 1, &arg);
+      if (b != RSTRING_PTR(self)) {
+        ptrdiff_t diff = p - b;
+        b = RSTRING_PTR(self);
+        p = b + diff;
+      }
+      e = b + RSTRING_LEN(self);
     }
     return self;
   }
author	Yukihiro "Matz" Matsumoto <[email protected]>	2016-11-16 02:05:19 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2016-11-16 02:05:19 +0900
commit	242b21947102d98aba2fa3db2725b129ca547f20 (patch)
tree	96fa94222bafebda764aeeca4a26219ef193e08e /mrbgems/mruby-string-ext/src/string.c
parent	92f72c749006407db4fa4a4faf123bde4a3043e4 (diff)
download	mruby-242b21947102d98aba2fa3db2725b129ca547f20.tar.gz mruby-242b21947102d98aba2fa3db2725b129ca547f20.zip