Heap buffer overflow

[clayton-shopify]

The following input demonstrates a crash:

l = 0./(0, *r=begin
  K ||= @g
ensure
e
end)

This input is a variation of the one in #3442.

ASAN report:

=================================================================
==82414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000bbc0 at pc 0x00010b4ab9eb bp 0x7fff54ae4590 sp 0x7fff54ae3d50
READ of size 16 at 0x60d00000bbc0 thread T0
    #0 0x10b4ab9ea in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x419ea)
    #1 0x10b11b69d in value_move value_array.h:14
    #2 0x10b11b384 in mrb_ary_unshift array.c:502
    #3 0x10b280e42 in mrb_vm_exec vm.c:1198
    #4 0x10b277589 in mrb_vm_run vm.c:815
    #5 0x10b2a8a19 in mrb_top_run vm.c:2569
    #6 0x10b3767b5 in mrb_load_exec parse.y:5755
    #7 0x10b3775c5 in mrb_load_file_cxt parse.y:5764
    #8 0x10b11401a in main mruby.c:232
    #9 0x7fffb4357254 in start (libdyld.dylib+0x5254)

0x60d00000bbc0 is located 31 bytes to the right of 129-byte region [0x60d00000bb20,0x60d00000bba1)
allocated by thread T0 here:
    #0 0x10b4b4f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10b20d305 in mrb_default_allocf state.c:60
    #2 0x10b18e7b8 in mrb_realloc_simple gc.c:201
    #3 0x10b18ee9e in mrb_realloc gc.c:215
    #4 0x10b18f913 in mrb_malloc gc.c:236
    #5 0x10b21042c in mrb_str_buf_new string.c:115
    #6 0x10b16273b in mrb_mod_attr_writer class.c:1360
    #7 0x10b281950 in mrb_vm_exec vm.c:1229
    #8 0x10b277589 in mrb_vm_run vm.c:815
    #9 0x10b2a8a19 in mrb_top_run vm.c:2569
    #10 0x10b1cce84 in mrb_load_irep_cxt load.c:638
    #11 0x10b1cdcbf in mrb_load_irep load.c:644
    #12 0x10b31a276 in GENERATED_TMP_mrb_mruby_enumerator_gem_init (mruby+0x100208276)
    #13 0x10b3935ed in mrb_init_mrbgems (mruby+0x1002815ed)
    #14 0x10b20d491 in mrb_open_allocf state.c:114
    #15 0x10b20d437 in mrb_open state.c:99
    #16 0x10b112d97 in main mruby.c:172
    #17 0x7fffb4357254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x419ea) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c1a00001720: 00 00 00 00 00 00 01 fa fa fa fa fa fa fa fa fa
  0x1c1a00001730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1a00001740: 01 fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x1c1a00001750: 00 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa
  0x1c1a00001760: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c1a00001770: 00 00 00 00 01 fa fa fa[fa]fa fa fa fa fa 00 00
  0x1c1a00001780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 fa
  0x1c1a00001790: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x1c1a000017a0: 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa fa
  0x1c1a000017b0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c1a000017c0: 00 00 01 fa fa fa fa fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==82414==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong