You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Later https://hackerone.com/titanous reported what appears to be the same issue, and provided this crashing input (again, confirmed to crash MRuby when built on Ubuntu 14.04):
range_check can trigger a stack extension via mrb_funcall if there are many arguments passed to the equivalence test. The stack extension changes the address of the stack, though the old stack address is used when assigning the value of the range. This causes a write into the old heap allocation, which has already been freed.
and suggested the following patch:
From ec7d6b4078f25bcc7c25b210e2d69c910ea9b923 Mon Sep 17 00:00:00 2001
From: Jonathan Rudenberg <jonathan@titanous.com>
Date: Fri, 30 Dec 2016 17:44:25 -0500
Subject: [PATCH] Fix heap use-after-free during range creation
---
src/vm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/vm.c b/src/vm.c
index cca0fd03..368b75a9 100644
--- a/src/vm.c+++ b/src/vm.c@@ -2411,7 +2411,8 @@ RETRY_TRY_BLOCK:
CASE(OP_RANGE) {
/* A B C R(A) := range_new(R(B),R(B+1),C) */
int b = GETARG_B(i);
- regs[GETARG_A(i)] = mrb_range_new(mrb, regs[b], regs[b+1], GETARG_C(i));+ mrb_value res = mrb_range_new(mrb, regs[b], regs[b+1], GETARG_C(i));+ regs[GETARG_A(i)] = res;
ARENA_RESTORE(mrb, ai);
NEXT;
}
--
2.11.0
The text was updated successfully, but these errors were encountered:
The following input demonstrates a crash (at least when MRuby is built on Ubuntu 14.04):
This outputs the following:
This issue was original reported by https://hackerone.com/icanthack
Later https://hackerone.com/titanous reported what appears to be the same issue, and provided this crashing input (again, confirmed to crash MRuby when built on Ubuntu 14.04):
He provided the following diagnosis:
and suggested the following patch:
The text was updated successfully, but these errors were encountered: