New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_ary_ref #3537

Closed
clayton-shopify opened this Issue Mar 22, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Mar 22, 2017

The following input to mirb demonstrates a crash:

w
Fiber.new do w end.resume
y=f=GC.start
g=s=t=().()
a=[D]
a

Note that this input must be given to mirb, not mruby.

ASAN report:

==24404==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fffc774bf3d bp 0x7fff57771860 sp 0x7fff57771860 T0)
    #0 0x7fffc774bf3c in _platform_memmove$VARIANT$Haswell (libsystem_platform.dylib+0x5f3c)
    #1 0x108821bf8 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bf8)
    #2 0x10848cee4 in mrb_ary_ref array.c:552
    #3 0x108496a28 in mrb_ary_aget array.c:753
    #4 0x1085f1d50 in mrb_vm_exec vm.c:1259
    #5 0x1085e73d9 in mrb_vm_run vm.c:823
    #6 0x1085e011e in mrb_run vm.c:2603
    #7 0x1085dda67 in mrb_funcall_with_block vm.c:451
    #8 0x1085dac57 in mrb_funcall_with_block vm.c:354
    #9 0x1085da437 in mrb_funcall_argv vm.c:461
    #10 0x1085d9ebe in mrb_funcall vm.c:339
    #11 0x108485c9b in p mirb.c:92
    #12 0x108484634 in main mirb.c:564
    #13 0x7fffc753b254 in start (libdyld.dylib+0x5254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib+0x5f3c) in _platform_memmove$VARIANT$Haswell
==24404==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ston3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment