Heap buffer overflow

[clayton-shopify]

The following input demonstrates a crash:

def method_missing(m, *)
  a self.b ||= 0
end

c

ASAN report:

==80971==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62600000b900 at pc 0x00010b8d0bbe bp 0x7fff546c6770 sp 0x7fff546c5f30
WRITE of size 16 at 0x62600000b900 thread T0
    #0 0x10b8d0bbd in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bbd)
    #1 0x10b69edd9 in mrb_vm_exec (mruby+0x10016edd9)
    #2 0x10b694f79 in mrb_vm_run (mruby+0x100164f79)
    #3 0x10b6c7249 in mrb_top_run (mruby+0x100197249)
    #4 0x10b796a85 in mrb_load_exec (mruby+0x100266a85)
    #5 0x10b797895 in mrb_load_file_cxt (mruby+0x100267895)
    #6 0x10b5325c6 in main mruby.c:227
    #7 0x7fff8cb21254 in start (libdyld.dylib+0x5254)

0x62600000b900 is located 0 bytes to the right of 10240-byte region [0x626000009100,0x62600000b900)
allocated by thread T0 here:
    #0 0x10b8d9f87 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x4af87)
    #1 0x10b62a315 in mrb_default_allocf (mruby+0x1000fa315)
    #2 0x10b5ac118 in mrb_realloc_simple gc.c:201
    #3 0x10b5ac7fe in mrb_realloc gc.c:215
    #4 0x10b6c7cc1 in stack_extend_alloc (mruby+0x100197cc1)
    #5 0x10b68d3e7 in stack_extend (mruby+0x10015d3e7)
    #6 0x10b6a0605 in mrb_vm_exec (mruby+0x100170605)
    #7 0x10b694f79 in mrb_vm_run (mruby+0x100164f79)
    #8 0x10b6c7249 in mrb_top_run (mruby+0x100197249)
    #9 0x10b796a85 in mrb_load_exec (mruby+0x100266a85)
    #10 0x10b797895 in mrb_load_file_cxt (mruby+0x100267895)
    #11 0x10b5325c6 in main mruby.c:227
    #12 0x7fff8cb21254 in start (libdyld.dylib+0x5254)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41bbd) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c4c000016d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4c000016e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4c000016f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4c00001700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c4c00001710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c4c00001720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c4c00001770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==80971==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ston3