[Bug #21380] Prohibit modification in String#split block

nobu · nobu · commit fa85d23ff4a0 · 2025-05-29T11:10:58.000+09:00
Reported at https://hackerone.com/reports/3163876
diff --git a/string.c b/string.c
@@ -9748,11 +9748,15 @@ rb_str_split_m(int argc, VALUE *argv, VALUE str)
         }
     }
 
-#define SPLIT_STR(beg, len) (empty_count = split_string(result, str, beg, len, empty_count))
+#define SPLIT_STR(beg, len) ( \
+        empty_count = split_string(result, str, beg, len, empty_count), \
+        str_mod_check(str, str_start, str_len))
 
     beg = 0;
     char *ptr = RSTRING_PTR(str);
-    char *eptr = RSTRING_END(str);
+    char *const str_start = ptr;
+    const long str_len = RSTRING_LEN(str);
+    char *const eptr = str_start + str_len;
     if (split_type == SPLIT_TYPE_AWK) {
         char *bptr = ptr;
         int skip = 1;
@@ -9813,7 +9817,6 @@ rb_str_split_m(int argc, VALUE *argv, VALUE str)
         }
     }
     else if (split_type == SPLIT_TYPE_STRING) {
-        char *str_start = ptr;
         char *substr_start = ptr;
         char *sptr = RSTRING_PTR(spat);
         long slen = RSTRING_LEN(spat);
@@ -9830,14 +9833,14 @@ rb_str_split_m(int argc, VALUE *argv, VALUE str)
                 continue;
             }
             SPLIT_STR(substr_start - str_start, (ptr+end) - substr_start);
+            str_mod_check(spat, sptr, slen);
             ptr += end + slen;
             substr_start = ptr;
             if (!NIL_P(limit) && lim <= ++i) break;
         }
         beg = ptr - str_start;
     }
     else if (split_type == SPLIT_TYPE_CHARS) {
-        char *str_start = ptr;
         int n;
 
         if (result) result = rb_ary_new_capa(RSTRING_LEN(str));
diff --git a/test/ruby/test_string.rb b/test/ruby/test_string.rb
@@ -1869,6 +1869,13 @@ def test_split_with_block
 
     result = []; S("aaa,bbb,ccc,ddd").split(/,/) {|s| result << s.gsub(/./, "A")}
     assert_equal(["AAA"]*4, result)
+
+    s = S("abc ") * 20
+    assert_raise(RuntimeError) {
+      10.times do
+        s.split {s.prepend("xxx" * 100)}
+      end
+    }
   ensure
     EnvUtil.suppress_warning {$; = fs}
   end

Original file line number	Diff line number	Diff line change
`@@ -9748,11 +9748,15 @@ rb_str_split_m(int argc, VALUE *argv, VALUE str)`
`9748`	`9748`	`}`
`9749`	`9749`	`}`
`9750`	`9750`
`9751`		`-#define SPLIT_STR(beg, len) (empty_count = split_string(result, str, beg, len, empty_count))`
	`9751`	`+#define SPLIT_STR(beg, len) ( \`
	`9752`	`+ empty_count = split_string(result, str, beg, len, empty_count), \`
	`9753`	`+ str_mod_check(str, str_start, str_len))`
`9752`	`9754`
`9753`	`9755`	`beg = 0;`
`9754`	`9756`	`char *ptr = RSTRING_PTR(str);`
`9755`		`- char *eptr = RSTRING_END(str);`
	`9757`	`+ char *const str_start = ptr;`
	`9758`	`+ const long str_len = RSTRING_LEN(str);`
	`9759`	`+ char *const eptr = str_start + str_len;`
`9756`	`9760`	`if (split_type == SPLIT_TYPE_AWK) {`
`9757`	`9761`	`char *bptr = ptr;`
`9758`	`9762`	`int skip = 1;`
`@@ -9813,7 +9817,6 @@ rb_str_split_m(int argc, VALUE *argv, VALUE str)`
`9813`	`9817`	`}`
`9814`	`9818`	`}`
`9815`	`9819`	`else if (split_type == SPLIT_TYPE_STRING) {`
`9816`		`- char *str_start = ptr;`
`9817`	`9820`	`char *substr_start = ptr;`
`9818`	`9821`	`char *sptr = RSTRING_PTR(spat);`
`9819`	`9822`	`long slen = RSTRING_LEN(spat);`
`@@ -9830,14 +9833,14 @@ rb_str_split_m(int argc, VALUE *argv, VALUE str)`
`9830`	`9833`	`continue;`
`9831`	`9834`	`}`
`9832`	`9835`	`SPLIT_STR(substr_start - str_start, (ptr+end) - substr_start);`
	`9836`	`+ str_mod_check(spat, sptr, slen);`
`9833`	`9837`	`ptr += end + slen;`
`9834`	`9838`	`substr_start = ptr;`
`9835`	`9839`	`if (!NIL_P(limit) && lim <= ++i) break;`
`9836`	`9840`	`}`
`9837`	`9841`	`beg = ptr - str_start;`
`9838`	`9842`	`}`
`9839`	`9843`	`else if (split_type == SPLIT_TYPE_CHARS) {`
`9840`		`- char *str_start = ptr;`
`9841`	`9844`	`int n;`
`9842`	`9845`
`9843`	`9846`	`if (result) result = rb_ary_new_capa(RSTRING_LEN(str));`