Heap buffer overflow

[clayton-shopify]

The following input demonstrates a crash:

module A module A
ensure
  module A module A module A module A
  ensure
    module A module A module A module A module A module A
     a
    ensure
      module A
        yield
      end
    end end end end end end
  end end end end
end end

ASAN report:

=================================================================
==52749==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001c8e8 at pc 0x000109772e3f bp 0x7fff565e97d0 sp 0x7fff565e97c8
READ of size 4 at 0x60200001c8e8 thread T0
    #0 0x109772e3e in mrb_vm_exec vm.c:1868
    #1 0x10975a939 in mrb_vm_run vm.c:823
    #2 0x1097539be in mrb_run vm.c:2571
    #3 0x10978966e in ecall vm.c:314
    #4 0x10976e51b in mrb_vm_exec vm.c:1652
    #5 0x10975a939 in mrb_vm_run vm.c:823
    #6 0x1097539be in mrb_run vm.c:2571
    #7 0x10978966e in ecall vm.c:314
    #8 0x109762852 in mrb_vm_exec vm.c:1133
    #9 0x10975a939 in mrb_vm_run vm.c:823
    #10 0x1097539be in mrb_run vm.c:2571
    #11 0x10978966e in ecall vm.c:314
    #12 0x109762852 in mrb_vm_exec vm.c:1133
    #13 0x10975a939 in mrb_vm_run vm.c:823
    #14 0x10978c359 in mrb_top_run vm.c:2582
    #15 0x10985ae45 in mrb_load_exec parse.y:5760
    #16 0x10985bc55 in mrb_load_file_cxt parse.y:5769
    #17 0x1095f7046 in main mruby.c:227
    #18 0x7fffb4357254 in start (libdyld.dylib+0x5254)

0x60200001c8e8 is located 8 bytes to the left of 10-byte region [0x60200001c8f0,0x60200001c8fa)
allocated by thread T0 here:
    #0 0x10999ef87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x1096f0015 in mrb_default_allocf state.c:60
    #2 0x109671bc8 in mrb_realloc_simple gc.c:201
    #3 0x109672d53 in mrb_malloc_simple gc.c:242
    #4 0x10982d9cd in codegen_malloc codegen.c:123
    #5 0x10982d54a in scope_finish codegen.c:2879
    #6 0x10981f58a in scope_body codegen.c:753
    #7 0x10980a193 in codegen codegen.c:1577
    #8 0x1098038f1 in mrb_generate_code codegen.c:2983
    #9 0x10985a2c0 in mrb_load_exec parse.y:5737
    #10 0x10985bc55 in mrb_load_file_cxt parse.y:5769
    #11 0x1095f7046 in main mruby.c:227
    #12 0x7fffb4357254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow vm.c:1868 in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c04000038c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c04000038d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c04000038e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c04000038f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0400003910: fa fa fa fa fa fa fa fa fa fa 00 00 fa[fa]00 02
  0x1c0400003920: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 04 fa
  0x1c0400003930: fa fa 00 fa fa fa 00 00 fa fa 00 02 fa fa 00 fa
  0x1c0400003940: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa 00 fa
  0x1c0400003950: fa fa 00 00 fa fa 00 02 fa fa 00 fa fa fa 00 fa
  0x1c0400003960: fa fa 00 fa fa fa 00 fa fa fa 00 00 fa fa 00 02
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==52749==ABORTING
Abort trap: 6

This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic)