Heap use-after-free #3515
Description
The following input demonstrates a crash:
class A < def to_str
""[1, 2, 3]
ensure --> {} rescue
Struct.new.new.to_h
end
endASAN report:
==51476==ERROR: AddressSanitizer: heap-use-after-free on address 0x62200001aaf0 at pc 0x00010b127404 bp 0x7fff54acf3f0 sp 0x7fff54acf3e8
READ of size 4 at 0x62200001aaf0 thread T0
#0 0x10b127403 in mrb_vm_exec vm.c:1684
#1 0x10b112f99 in mrb_vm_run vm.c:820
#2 0x10b10c01e in mrb_run vm.c:2604
#3 0x10b109967 in mrb_funcall_with_block vm.c:451
#4 0x10b106337 in mrb_funcall_argv vm.c:461
#5 0x10b08bc9e in convert_type object.c:320
#6 0x10b08cdba in mrb_check_convert_type object.c:356
#7 0x10b0b15f5 in mrb_str_to_str string.c:1028
#8 0x10b0c4eb6 in mrb_str_append string.c:2605
#9 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#10 0x10b109565 in mrb_funcall_with_block vm.c:444
#11 0x10b106337 in mrb_funcall_argv vm.c:461
#12 0x10b057db2 in mrb_method_missing kernel.c:926
#13 0x10b11cc18 in mrb_vm_exec vm.c:1229
#14 0x10b112f99 in mrb_vm_run vm.c:820
#15 0x10b10c01e in mrb_run vm.c:2604
#16 0x10b142a2a in ecall vm.c:312
#17 0x10b12743a in mrb_vm_exec vm.c:1685
#18 0x10b112f99 in mrb_vm_run vm.c:820
#19 0x10b10c01e in mrb_run vm.c:2604
#20 0x10b109967 in mrb_funcall_with_block vm.c:451
#21 0x10b106337 in mrb_funcall_argv vm.c:461
#22 0x10b08bc9e in convert_type object.c:320
#23 0x10b08cdba in mrb_check_convert_type object.c:356
#24 0x10b0b15f5 in mrb_str_to_str string.c:1028
#25 0x10b0c4eb6 in mrb_str_append string.c:2605
#26 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#27 0x10b109565 in mrb_funcall_with_block vm.c:444
#28 0x10b106337 in mrb_funcall_argv vm.c:461
#29 0x10b057db2 in mrb_method_missing kernel.c:926
#30 0x10b11cc18 in mrb_vm_exec vm.c:1229
#31 0x10b112f99 in mrb_vm_run vm.c:820
#32 0x10b10c01e in mrb_run vm.c:2604
#33 0x10b142a2a in ecall vm.c:312
#34 0x10b12743a in mrb_vm_exec vm.c:1685
#35 0x10b112f99 in mrb_vm_run vm.c:820
#36 0x10b10c01e in mrb_run vm.c:2604
#37 0x10b109967 in mrb_funcall_with_block vm.c:451
#38 0x10b106337 in mrb_funcall_argv vm.c:461
#39 0x10b08bc9e in convert_type object.c:320
#40 0x10b08cdba in mrb_check_convert_type object.c:356
#41 0x10b0b15f5 in mrb_str_to_str string.c:1028
#42 0x10b0c4eb6 in mrb_str_append string.c:2605
#43 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#44 0x10b109565 in mrb_funcall_with_block vm.c:444
#45 0x10b106337 in mrb_funcall_argv vm.c:461
#46 0x10b057db2 in mrb_method_missing kernel.c:926
#47 0x10b11cc18 in mrb_vm_exec vm.c:1229
#48 0x10b112f99 in mrb_vm_run vm.c:820
#49 0x10b10c01e in mrb_run vm.c:2604
#50 0x10b142a2a in ecall vm.c:312
#51 0x10b12743a in mrb_vm_exec vm.c:1685
#52 0x10b112f99 in mrb_vm_run vm.c:820
#53 0x10b10c01e in mrb_run vm.c:2604
#54 0x10b109967 in mrb_funcall_with_block vm.c:451
#55 0x10b106337 in mrb_funcall_argv vm.c:461
#56 0x10b08bc9e in convert_type object.c:320
#57 0x10b08cdba in mrb_check_convert_type object.c:356
#58 0x10b0b15f5 in mrb_str_to_str string.c:1028
#59 0x10b0c4eb6 in mrb_str_append string.c:2605
#60 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#61 0x10b109565 in mrb_funcall_with_block vm.c:444
#62 0x10b106337 in mrb_funcall_argv vm.c:461
#63 0x10b057db2 in mrb_method_missing kernel.c:926
#64 0x10b11cc18 in mrb_vm_exec vm.c:1229
#65 0x10b112f99 in mrb_vm_run vm.c:820
#66 0x10b10c01e in mrb_run vm.c:2604
#67 0x10b142a2a in ecall vm.c:312
#68 0x10b12743a in mrb_vm_exec vm.c:1685
#69 0x10b112f99 in mrb_vm_run vm.c:820
#70 0x10b10c01e in mrb_run vm.c:2604
#71 0x10b109967 in mrb_funcall_with_block vm.c:451
#72 0x10b106337 in mrb_funcall_argv vm.c:461
#73 0x10b08bc9e in convert_type object.c:320
#74 0x10b08cdba in mrb_check_convert_type object.c:356
#75 0x10b0b15f5 in mrb_str_to_str string.c:1028
#76 0x10b0c4eb6 in mrb_str_append string.c:2605
#77 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#78 0x10b109565 in mrb_funcall_with_block vm.c:444
#79 0x10b106337 in mrb_funcall_argv vm.c:461
#80 0x10b057db2 in mrb_method_missing kernel.c:926
#81 0x10b11cc18 in mrb_vm_exec vm.c:1229
#82 0x10b112f99 in mrb_vm_run vm.c:820
#83 0x10b10c01e in mrb_run vm.c:2604
#84 0x10b142a2a in ecall vm.c:312
#85 0x10b12743a in mrb_vm_exec vm.c:1685
#86 0x10b112f99 in mrb_vm_run vm.c:820
#87 0x10b10c01e in mrb_run vm.c:2604
#88 0x10b109967 in mrb_funcall_with_block vm.c:451
#89 0x10b106337 in mrb_funcall_argv vm.c:461
#90 0x10b08bc9e in convert_type object.c:320
#91 0x10b08cdba in mrb_check_convert_type object.c:356
#92 0x10b0b15f5 in mrb_str_to_str string.c:1028
#93 0x10b0c4eb6 in mrb_str_append string.c:2605
#94 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#95 0x10b109565 in mrb_funcall_with_block vm.c:444
#96 0x10b106337 in mrb_funcall_argv vm.c:461
#97 0x10b057db2 in mrb_method_missing kernel.c:926
#98 0x10b11cc18 in mrb_vm_exec vm.c:1229
#99 0x10b112f99 in mrb_vm_run vm.c:820
#100 0x10b10c01e in mrb_run vm.c:2604
#101 0x10b142a2a in ecall vm.c:312
#102 0x10b12743a in mrb_vm_exec vm.c:1685
#103 0x10b112f99 in mrb_vm_run vm.c:820
#104 0x10b10c01e in mrb_run vm.c:2604
#105 0x10b109967 in mrb_funcall_with_block vm.c:451
#106 0x10b106337 in mrb_funcall_argv vm.c:461
#107 0x10b08bc9e in convert_type object.c:320
#108 0x10b08cdba in mrb_check_convert_type object.c:356
#109 0x10b0b15f5 in mrb_str_to_str string.c:1028
#110 0x10b0c4eb6 in mrb_str_append string.c:2605
#111 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#112 0x10b109565 in mrb_funcall_with_block vm.c:444
#113 0x10b106337 in mrb_funcall_argv vm.c:461
#114 0x10b057db2 in mrb_method_missing kernel.c:926
#115 0x10b11cc18 in mrb_vm_exec vm.c:1229
#116 0x10b112f99 in mrb_vm_run vm.c:820
#117 0x10b10c01e in mrb_run vm.c:2604
#118 0x10b142a2a in ecall vm.c:312
#119 0x10b12743a in mrb_vm_exec vm.c:1685
#120 0x10b112f99 in mrb_vm_run vm.c:820
#121 0x10b10c01e in mrb_run vm.c:2604
#122 0x10b109967 in mrb_funcall_with_block vm.c:451
#123 0x10b106337 in mrb_funcall_argv vm.c:461
#124 0x10b08bc9e in convert_type object.c:320
#125 0x10b08cdba in mrb_check_convert_type object.c:356
#126 0x10b0b15f5 in mrb_str_to_str string.c:1028
#127 0x10b0c4eb6 in mrb_str_append string.c:2605
#128 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#129 0x10b109565 in mrb_funcall_with_block vm.c:444
#130 0x10b106337 in mrb_funcall_argv vm.c:461
#131 0x10b057db2 in mrb_method_missing kernel.c:926
#132 0x10b11cc18 in mrb_vm_exec vm.c:1229
#133 0x10b112f99 in mrb_vm_run vm.c:820
#134 0x10b10c01e in mrb_run vm.c:2604
#135 0x10b142a2a in ecall vm.c:312
#136 0x10b12743a in mrb_vm_exec vm.c:1685
#137 0x10b112f99 in mrb_vm_run vm.c:820
#138 0x10b10c01e in mrb_run vm.c:2604
#139 0x10b109967 in mrb_funcall_with_block vm.c:451
#140 0x10b106337 in mrb_funcall_argv vm.c:461
#141 0x10b08bc9e in convert_type object.c:320
#142 0x10b08cdba in mrb_check_convert_type object.c:356
#143 0x10b0b15f5 in mrb_str_to_str string.c:1028
#144 0x10b0c4eb6 in mrb_str_append string.c:2605
#145 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#146 0x10b109565 in mrb_funcall_with_block vm.c:444
#147 0x10b106337 in mrb_funcall_argv vm.c:461
#148 0x10b057db2 in mrb_method_missing kernel.c:926
#149 0x10b11cc18 in mrb_vm_exec vm.c:1229
#150 0x10b112f99 in mrb_vm_run vm.c:820
#151 0x10b10c01e in mrb_run vm.c:2604
#152 0x10b142a2a in ecall vm.c:312
#153 0x10b12743a in mrb_vm_exec vm.c:1685
#154 0x10b112f99 in mrb_vm_run vm.c:820
#155 0x10b10c01e in mrb_run vm.c:2604
#156 0x10b109967 in mrb_funcall_with_block vm.c:451
#157 0x10b106337 in mrb_funcall_argv vm.c:461
#158 0x10b08bc9e in convert_type object.c:320
#159 0x10b08cdba in mrb_check_convert_type object.c:356
#160 0x10b0b15f5 in mrb_str_to_str string.c:1028
#161 0x10b0c4eb6 in mrb_str_append string.c:2605
#162 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#163 0x10b109565 in mrb_funcall_with_block vm.c:444
#164 0x10b106337 in mrb_funcall_argv vm.c:461
#165 0x10b057db2 in mrb_method_missing kernel.c:926
#166 0x10b11cc18 in mrb_vm_exec vm.c:1229
#167 0x10b112f99 in mrb_vm_run vm.c:820
#168 0x10b10c01e in mrb_run vm.c:2604
#169 0x10b142a2a in ecall vm.c:312
#170 0x10b12743a in mrb_vm_exec vm.c:1685
#171 0x10b112f99 in mrb_vm_run vm.c:820
#172 0x10b10c01e in mrb_run vm.c:2604
#173 0x10b109967 in mrb_funcall_with_block vm.c:451
#174 0x10b106337 in mrb_funcall_argv vm.c:461
#175 0x10b08bc9e in convert_type object.c:320
#176 0x10b08cdba in mrb_check_convert_type object.c:356
#177 0x10b0b15f5 in mrb_str_to_str string.c:1028
#178 0x10b0c4eb6 in mrb_str_append string.c:2605
#179 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#180 0x10b109565 in mrb_funcall_with_block vm.c:444
#181 0x10b106337 in mrb_funcall_argv vm.c:461
#182 0x10b057db2 in mrb_method_missing kernel.c:926
#183 0x10b11cc18 in mrb_vm_exec vm.c:1229
#184 0x10b112f99 in mrb_vm_run vm.c:820
#185 0x10b10c01e in mrb_run vm.c:2604
#186 0x10b142a2a in ecall vm.c:312
#187 0x10b12743a in mrb_vm_exec vm.c:1685
#188 0x10b112f99 in mrb_vm_run vm.c:820
#189 0x10b10c01e in mrb_run vm.c:2604
#190 0x10b109967 in mrb_funcall_with_block vm.c:451
#191 0x10b106337 in mrb_funcall_argv vm.c:461
#192 0x10b08bc9e in convert_type object.c:320
#193 0x10b08cdba in mrb_check_convert_type object.c:356
#194 0x10b0b15f5 in mrb_str_to_str string.c:1028
#195 0x10b0c4eb6 in mrb_str_append string.c:2605
#196 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#197 0x10b109565 in mrb_funcall_with_block vm.c:444
#198 0x10b106337 in mrb_funcall_argv vm.c:461
#199 0x10b057db2 in mrb_method_missing kernel.c:926
#200 0x10b11cc18 in mrb_vm_exec vm.c:1229
#201 0x10b112f99 in mrb_vm_run vm.c:820
#202 0x10b10c01e in mrb_run vm.c:2604
#203 0x10b142a2a in ecall vm.c:312
#204 0x10b12743a in mrb_vm_exec vm.c:1685
#205 0x10b112f99 in mrb_vm_run vm.c:820
#206 0x10b10c01e in mrb_run vm.c:2604
#207 0x10b109967 in mrb_funcall_with_block vm.c:451
#208 0x10b106337 in mrb_funcall_argv vm.c:461
#209 0x10b08bc9e in convert_type object.c:320
#210 0x10b08cdba in mrb_check_convert_type object.c:356
#211 0x10b0b15f5 in mrb_str_to_str string.c:1028
#212 0x10b0c4eb6 in mrb_str_append string.c:2605
#213 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#214 0x10b109565 in mrb_funcall_with_block vm.c:444
#215 0x10b106337 in mrb_funcall_argv vm.c:461
#216 0x10b057db2 in mrb_method_missing kernel.c:926
#217 0x10b11cc18 in mrb_vm_exec vm.c:1229
#218 0x10b112f99 in mrb_vm_run vm.c:820
#219 0x10b10c01e in mrb_run vm.c:2604
#220 0x10b142a2a in ecall vm.c:312
#221 0x10b12743a in mrb_vm_exec vm.c:1685
#222 0x10b112f99 in mrb_vm_run vm.c:820
#223 0x10b10c01e in mrb_run vm.c:2604
#224 0x10b109967 in mrb_funcall_with_block vm.c:451
#225 0x10b106337 in mrb_funcall_argv vm.c:461
#226 0x10b08bc9e in convert_type object.c:320
#227 0x10b08cdba in mrb_check_convert_type object.c:356
#228 0x10b0b15f5 in mrb_str_to_str string.c:1028
#229 0x10b0c4eb6 in mrb_str_append string.c:2605
#230 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#231 0x10b109565 in mrb_funcall_with_block vm.c:444
#232 0x10b106337 in mrb_funcall_argv vm.c:461
#233 0x10b057db2 in mrb_method_missing kernel.c:926
#234 0x10b11cc18 in mrb_vm_exec vm.c:1229
#235 0x10b112f99 in mrb_vm_run vm.c:820
#236 0x10b10c01e in mrb_run vm.c:2604
#237 0x10b142a2a in ecall vm.c:312
#238 0x10b12743a in mrb_vm_exec vm.c:1685
#239 0x10b112f99 in mrb_vm_run vm.c:820
#240 0x10b10c01e in mrb_run vm.c:2604
#241 0x10b109967 in mrb_funcall_with_block vm.c:451
#242 0x10b106337 in mrb_funcall_argv vm.c:461
#243 0x10b08bc9e in convert_type object.c:320
#244 0x10b08cdba in mrb_check_convert_type object.c:356
#245 0x10b0b15f5 in mrb_str_to_str string.c:1028
#246 0x10b0c4eb6 in mrb_str_append string.c:2605
#247 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#248 0x10b109565 in mrb_funcall_with_block vm.c:444
#249 0x10b106337 in mrb_funcall_argv vm.c:461
#250 0x10b057db2 in mrb_method_missing kernel.c:926
#251 0x10b11cc18 in mrb_vm_exec vm.c:1229
#252 0x10b112f99 in mrb_vm_run vm.c:820
#253 0x10b10c01e in mrb_run vm.c:2604
#254 0x10b142a2a in ecall vm.c:312
#255 0x10b12743a in mrb_vm_exec vm.c:1685
0x62200001aaf0 is located 4592 bytes inside of 4960-byte region [0x622000019900,0x62200001ac60)
freed by thread T0 here:
#0 0x10b35bf87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
#1 0x10b0a8675 in mrb_default_allocf state.c:60
#2 0x10b02a228 in mrb_realloc_simple gc.c:201
#3 0x10b02a90e in mrb_realloc gc.c:215
#4 0x10b10b1b9 in cipush vm.c:239
#5 0x10b11d39f in mrb_vm_exec vm.c:1242
#6 0x10b112f99 in mrb_vm_run vm.c:820
#7 0x10b10c01e in mrb_run vm.c:2604
#8 0x10b109967 in mrb_funcall_with_block vm.c:451
#9 0x10b106337 in mrb_funcall_argv vm.c:461
#10 0x10b08bc9e in convert_type object.c:320
#11 0x10b08cdba in mrb_check_convert_type object.c:356
#12 0x10b0b15f5 in mrb_str_to_str string.c:1028
#13 0x10b0c4eb6 in mrb_str_append string.c:2605
#14 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#15 0x10b109565 in mrb_funcall_with_block vm.c:444
#16 0x10b106337 in mrb_funcall_argv vm.c:461
#17 0x10b057db2 in mrb_method_missing kernel.c:926
#18 0x10b11cc18 in mrb_vm_exec vm.c:1229
#19 0x10b112f99 in mrb_vm_run vm.c:820
#20 0x10b10c01e in mrb_run vm.c:2604
#21 0x10b142a2a in ecall vm.c:312
#22 0x10b12743a in mrb_vm_exec vm.c:1685
#23 0x10b112f99 in mrb_vm_run vm.c:820
#24 0x10b10c01e in mrb_run vm.c:2604
#25 0x10b109967 in mrb_funcall_with_block vm.c:451
#26 0x10b106337 in mrb_funcall_argv vm.c:461
#27 0x10b08bc9e in convert_type object.c:320
#28 0x10b08cdba in mrb_check_convert_type object.c:356
#29 0x10b0b15f5 in mrb_str_to_str string.c:1028
previously allocated by thread T0 here:
#0 0x10b35bf87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
#1 0x10b0a8675 in mrb_default_allocf state.c:60
#2 0x10b02a228 in mrb_realloc_simple gc.c:201
#3 0x10b02a90e in mrb_realloc gc.c:215
#4 0x10b10b1b9 in cipush vm.c:239
#5 0x10b11d39f in mrb_vm_exec vm.c:1242
#6 0x10b112f99 in mrb_vm_run vm.c:820
#7 0x10b10c01e in mrb_run vm.c:2604
#8 0x10b109967 in mrb_funcall_with_block vm.c:451
#9 0x10b106337 in mrb_funcall_argv vm.c:461
#10 0x10b08bc9e in convert_type object.c:320
#11 0x10b08cdba in mrb_check_convert_type object.c:356
#12 0x10b0b15f5 in mrb_str_to_str string.c:1028
#13 0x10b0c4eb6 in mrb_str_append string.c:2605
#14 0x10b19ba7c in mrb_proc_inspect (mruby+0x1001eea7c)
#15 0x10b109565 in mrb_funcall_with_block vm.c:444
#16 0x10b106337 in mrb_funcall_argv vm.c:461
#17 0x10b057db2 in mrb_method_missing kernel.c:926
#18 0x10b11cc18 in mrb_vm_exec vm.c:1229
#19 0x10b112f99 in mrb_vm_run vm.c:820
#20 0x10b10c01e in mrb_run vm.c:2604
#21 0x10b142a2a in ecall vm.c:312
#22 0x10b12743a in mrb_vm_exec vm.c:1685
#23 0x10b112f99 in mrb_vm_run vm.c:820
#24 0x10b10c01e in mrb_run vm.c:2604
#25 0x10b109967 in mrb_funcall_with_block vm.c:451
#26 0x10b106337 in mrb_funcall_argv vm.c:461
#27 0x10b08bc9e in convert_type object.c:320
#28 0x10b08cdba in mrb_check_convert_type object.c:356
#29 0x10b0b15f5 in mrb_str_to_str string.c:1028
SUMMARY: AddressSanitizer: heap-use-after-free vm.c:1684 in mrb_vm_exec
Shadow bytes around the buggy address:
0x1c4400003500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c4400003510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c4400003520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c4400003530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c4400003540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c4400003550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x1c4400003560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c4400003570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c4400003580: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x1c4400003590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c44000035a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==51476==ABORTING
Abort trap: 6
The following variation was also reported:
class A < def to_str
a = "AAABAACAADAAEAAFAAGAAHAAIAAJAAKAALAAMAANAAOAAPAAQAARAASAATAAUAAVAAWAAXAAYAAZAAaAAbAAcAAdAAeAAfAAgAAhAAiAAjAAkAAlAAmAAnAAoAApAAqAArAAsAAtAAuAAvAAwAAxAAyAAzAA1AA2AA3AA4AA5AA6AA7AA8AA9AA0ABBABCABDABEABFABGABHABIABJABKABLABMABNABOABPABQABRABSABTABUABVABWABXABYABZABaABbABcABdABeABfABgABhABiABjABkABlABmABnABoABpABqABrABsABtABuABvABwABxAByABzAB1AB2AB3AB4AB5AB6AB7AB8AB9AB0ACBACCACDACEACFACGACHACIACJACKACLACMACNACOACPACQACRACSACTACUACVACWACXACYACZACaACbACcACdACeACfACgAChACiACjACkAClACmACnACoACpACqACrACsACtACuACvACwACxACyACzAC1AC2AC3AC4AC5AC6AC7AC8AC9AC0ADBADCADDADEADFADGADHADIADJADKADLADMADNADOADPADQADRADSADTADUADVADWADXADYADZADaADbADcADdADeADfADgADhADiADjADkADlADmADnADoADpADqADrADsADtADuADvADwADxADyADzAD1AD2AD3AD4AD5AD6AD7AD8AD9AD0AEBAECAEDAEEAEFAEGAEHAEIAEJAEKAELAEMAENAEOAEPAEQAERAESAETAEUAEVAEWAEXAEYAEZAEaAEbAEcAEdAEeAEfAEgAEhAEiAEjAEkAElAEmAEnAEoAEp\x0f\x0f\x0f\x0f\x0f\x0f\x0f\x0fsAEtAEuAEvAEwAExX\xe5\xfc\xff\xff\x6f\x00\x001AE2AE3AE4AE5AE6AE7AE8AE\x90\xe0n\x00\x00\x00\x00\x00FCAFDAFEAFFA\x00\x00\x00\x00HAFIAFJAFKAFLAFMAFNAFOAFPAFQAFRAFSAFTAFUAFVAFWAFXAFYAFZAFaAFbAFcAFdAFeAFfAFgAFhAFiAFjAFk" * 4
""[1, 2, 3]
ensure --> {} rescue
Struct.new.new.to_h
end
endDifferent crashes may result depending on the compiler used.
This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic)