New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in OP_RESCUE #3519

Closed
clayton-shopify opened this Issue Mar 15, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Mar 15, 2017

The following input demonstrates a crash:

begin
rescue => a
end

begin
  b
rescue begin
    c ""
  rescue => d
    0
  ensure
  end
end

mrb->exc ends up NULL here:

mruby/src/vm.c

Line 1096 in f8b31a0

exc = mrb_obj_value(mrb->exc);

This looks to be related to #3487

ASAN report:

==63757==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010572b22c bp 0x7fff5a6286f0 sp 0x7fff5a628580 T0)
    #0 0x10572b22b in mrb_obj_value (mruby+0x10015d22b)
    #1 0x10573aef0 in mrb_vm_exec (mruby+0x10016cef0)
    #2 0x1057342f9 in mrb_vm_run (mruby+0x1001662f9)
    #3 0x105766929 in mrb_top_run (mruby+0x100198929)
    #4 0x105835b65 in mrb_load_exec (mruby+0x100267b65)
    #5 0x105836975 in mrb_load_file_cxt (mruby+0x100268975)
    #6 0x1055d0936 in main mruby.c:227
    #7 0x7fffaf458254 in start (libdyld.dylib+0x5254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (mruby+0x10015d22b) in mrb_obj_value
==63757==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/icanthack

matz added a commit that referenced this issue Mar 19, 2017

@matz matz closed this in 4cf38eb Mar 19, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment