Skip to content

Validate String argument in Zstd.read_skippable_frame#142

Open
Watson1978 wants to merge 1 commit into
SpringMT:mainfrom
Watson1978:fix/read-skippable-frame-type-check
Open

Validate String argument in Zstd.read_skippable_frame#142
Watson1978 wants to merge 1 commit into
SpringMT:mainfrom
Watson1978:fix/read-skippable-frame-type-check

Conversation

@Watson1978

Copy link
Copy Markdown
Contributor

Summary

Zstd.read_skippable_frame called RSTRING_PTR / RSTRING_LEN on its
argument without going through StringValue(), unlike every other
public API in this gem (compress, decompress, write_skippable_frame,
streaming compress/decompress all do).

Passing a non-String therefore reinterpreted the object as an RString
and dereferenced its ptr/len fields, leading to a crash. For example a
Fixnum argument crashed at an address derived from its immediate value:

Zstd.read_skippable_frame(nil)        # SEGV
Zstd.read_skippable_frame(123456789)  # SEGV (address derived from the argument)

Fix

Add StringValue(input_value); at the top of rb_read_skippable_frame,
matching the other entry points. Non-String arguments now raise
TypeError, while String-convertible objects (#to_str) keep working.

 static VALUE rb_read_skippable_frame(VALUE self, VALUE input_value)
 {
+  StringValue(input_value);
   char* input_data = RSTRING_PTR(input_value);
   size_t input_size = RSTRING_LEN(input_value);

Tests

Added specs to spec/zstd-skippable_frame_spec.rb:

  • non-String arguments (nil, Integer, Symbol, Array, Object) raise TypeError
  • objects responding to #to_str are still accepted

Full suite passes (66 examples, 0 failures).

🤖 Generated with Claude Code

rb_read_skippable_frame called RSTRING_PTR/RSTRING_LEN on the argument
without going through StringValue(), unlike every other public API.
Passing a non-String reinterpreted the object as an RString and
dereferenced attacker-influenced fields, causing a SEGV (e.g. a Fixnum
argument crashed at an address derived from its immediate value).

Add StringValue() so non-String arguments raise TypeError while
String-convertible objects (#to_str) keep working. Covered by specs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant