Skip to content

Validate Buffer#read_frame argument to prevent SEGV#97

Merged
Watson1978 merged 1 commit into
socketry:mainfrom
Watson1978:fix-read-frame-segv
Jul 2, 2026
Merged

Validate Buffer#read_frame argument to prevent SEGV#97
Watson1978 merged 1 commit into
socketry:mainfrom
Watson1978:fix-read-frame-segv

Conversation

@Watson1978

Copy link
Copy Markdown
Collaborator

Summary

Buffer#read_frame passed its data argument straight to the internal buffer_read_frame(), which appends to it via rb_str_cat() without any type check. When data is not a String, the immediate VALUE is dereferenced as a char* inside rb_str_cat, crashing the whole VM with a SEGV instead of raising a Ruby exception.

b = Coolio::Buffer.new
b << "hello world"
b.read_frame(12345, 0x20)   # [BUG] Segmentation fault

Every other entry point (#append, #prepend) already coerces its argument to a String, so read_frame was the only unguarded path.

Fix

Coerce data with StringValue() and reject frozen strings with rb_str_modify() (since data is used as an output buffer that gets written to). This turns the crash into a proper TypeError / FrozenError, matching the behavior of #append and #prepend.

No compatibility impact: existing callers that pass a valid mutable String are unaffected; only misuse is now raised as an exception.

Tests

Added specs to spec/iobuffer_spec.rb covering:

  • non-String argument raises TypeError (no more SEGV)
  • frozen String raises FrozenError
  • objects responding to #to_str are coerced correctly

All buffer specs pass locally.

read_frame passed its data argument straight to buffer_read_frame(),
which appends to it via rb_str_cat() without any type check. A non-String
argument was dereferenced as a char* and crashed the VM instead of
raising an error.

Coerce data with StringValue() and reject frozen strings with
rb_str_modify(), matching the validation already done by #append and
#prepend. Add specs covering non-String, frozen String, and to_str
coercion cases.
@Watson1978 Watson1978 force-pushed the fix-read-frame-segv branch from 55f83ff to 8d1b207 Compare July 2, 2026 14:29
@Watson1978 Watson1978 merged commit 9b7e768 into socketry:main Jul 2, 2026
14 checks passed
@Watson1978 Watson1978 deleted the fix-read-frame-segv branch July 2, 2026 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant