/mruby

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow #3506

Closed
clayton-shopify opened this Issue Mar 14, 2017 · 0 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@clayton-shopify
@clayton-shopify
Contributor

clayton-shopify commented Mar 14, 2017

The following input demonstrates a crash:

def to_str
  ``
  0
end

0.times.inspect

Since backquotes are not implemented, this code should result in infinite recursion but it crashes well before the C stack overflows. An attempt is made to write past the end of the Ruby VM stack here:

mruby/src/vm.c

Line 1205 in 4b1e5d4

SET_NIL_VALUE(regs[bidx]);

This suggests that the size of the VM stack was not calculated correctly at some previous point.

ASAN report:

==30916==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62700001b908 at pc 0x00010213cf0f bp 0x7fff5d8fd890 sp 0x7fff5d8fd888
WRITE of size 4 at 0x62700001b908 thread T0
    #0 0x10213cf0e in mrb_vm_exec (mruby+0x10016ef0e)
    #1 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #2 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #3 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #4 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #5 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #6 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #7 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #8 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #9 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #10 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #11 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #12 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #13 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #14 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #15 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #16 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #17 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #18 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #19 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #20 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #21 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #22 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #23 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #24 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #25 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #26 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #27 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #28 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #29 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #30 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #31 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #32 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #33 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #34 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #35 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #36 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #37 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #38 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #39 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #40 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #41 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #42 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #43 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #44 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #45 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #46 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #47 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #48 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #49 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #50 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #51 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #52 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #53 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #54 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #55 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #56 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #57 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #58 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #59 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #60 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #61 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #62 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #63 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #64 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #65 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #66 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #67 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #68 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #69 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #70 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #71 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #72 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #73 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #74 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #75 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #76 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #77 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #78 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #79 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #80 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #81 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #82 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #83 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #84 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #85 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #86 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #87 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #88 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #89 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #90 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #91 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #92 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #93 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #94 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #95 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #96 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #97 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #98 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #99 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #100 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #101 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #102 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #103 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #104 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #105 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #106 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #107 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #108 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #109 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #110 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #111 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #112 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #113 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #114 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #115 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #116 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #117 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #118 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #119 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #120 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #121 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #122 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #123 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #124 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #125 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #126 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #127 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #128 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #129 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #130 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #131 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #132 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #133 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #134 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #135 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #136 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #137 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #138 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #139 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #140 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #141 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #142 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #143 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #144 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #145 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #146 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #147 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #148 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #149 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #150 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #151 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #152 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #153 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #154 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #155 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #156 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #157 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #158 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #159 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #160 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #161 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #162 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #163 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #164 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #165 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #166 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #167 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #168 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #169 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #170 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #171 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #172 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #173 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #174 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #175 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #176 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #177 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #178 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #179 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #180 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #181 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #182 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #183 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #184 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #185 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #186 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #187 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #188 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #189 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #190 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #191 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #192 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #193 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #194 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #195 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #196 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #197 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #198 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #199 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #200 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #201 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #202 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #203 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #204 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #205 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #206 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #207 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #208 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #209 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #210 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #211 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #212 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #213 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #214 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #215 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #216 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #217 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #218 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #219 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #220 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #221 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #222 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #223 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #224 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #225 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #226 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #227 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #228 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #229 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #230 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #231 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #232 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #233 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #234 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #235 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #236 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #237 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #238 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #239 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #240 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #241 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #242 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #243 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #244 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #245 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #246 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #247 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #248 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #249 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #250 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #251 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #252 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #253 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #254 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #255 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)

0x62700001b908 is located 8 bytes to the right of 12288-byte region [0x627000018900,0x62700001b900)
allocated by thread T0 here:
    #0 0x102379f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x1020c9675 in mrb_default_allocf (mruby+0x1000fb675)
    #2 0x10204b228 in mrb_realloc_simple gc.c:201
    #3 0x10204b90e in mrb_realloc gc.c:215
    #4 0x1021670b1 in stack_extend_alloc (mruby+0x1001990b1)
    #5 0x10212c747 in stack_extend (mruby+0x10015e747)
    #6 0x102129484 in mrb_funcall_with_block (mruby+0x10015b484)
    #7 0x10200db49 in mrb_instance_new (mruby+0x10003fb49)
    #8 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #9 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #10 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #11 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #12 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #13 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #14 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #15 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #16 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #17 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #18 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #19 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #20 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)
    #21 0x102127337 in mrb_funcall_argv (mruby+0x100159337)
    #22 0x1020acc9e in convert_type (mruby+0x1000dec9e)
    #23 0x1020addba in mrb_check_convert_type (mruby+0x1000dfdba)
    #24 0x1020dbb9d in mrb_check_string_type (mruby+0x10010db9d)
    #25 0x1020779c3 in mrb_f_raise (mruby+0x1000a99c3)
    #26 0x10213eb73 in mrb_vm_exec (mruby+0x100170b73)
    #27 0x102133f99 in mrb_vm_run (mruby+0x100165f99)
    #28 0x10212d01e in mrb_run (mruby+0x10015f01e)
    #29 0x10212a967 in mrb_funcall_with_block (mruby+0x10015c967)

SUMMARY: AddressSanitizer: heap-buffer-overflow (mruby+0x10016ef0e) in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c4e000036d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4e000036e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4e000036f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4e00003700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4e00003710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4e00003720: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4e00003730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4e00003740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4e00003750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4e00003760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4e00003770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30916==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ston3

@matz matz closed this in b2916f1 Mar 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment