New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_get_args #3559

Closed
clayton-shopify opened this Issue Mar 28, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Mar 28, 2017

The following input demonstrates a crash:

[][0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]=%
a

ASAN report:

==10182==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x00010aa9d9bb bp 0x7fff551882f0 sp 0x7fff551865a0 T0)
==10182==The signal is caused by a READ memory access.
==10182==Hint: address points to the zero page.
    #0 0x10aa9d9ba in mrb_get_args class.c:555
    #1 0x10aa828fc in mrb_ary_aset array.c:811
    #2 0x10abdcf90 in mrb_vm_exec vm.c:1259
    #3 0x10abd2619 in mrb_vm_run vm.c:823
    #4 0x10ac048f9 in mrb_top_run vm.c:2614
    #5 0x10acd57a5 in mrb_load_exec parse.y:5760
    #6 0x10acd65b5 in mrb_load_file_cxt parse.y:5769
    #7 0x10aa70066 in main mruby.c:227
    #8 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==10182==Register values:
rax = 0x0000000000000018  rbx = 0x00007fff55186800  rcx = 0x0000000000000018  rdx = 0x0000100000000003
rdi = 0x00001c2800001400  rsi = 0x0000100000000000  rbp = 0x00007fff551882f0  rsp = 0x00007fff551865a0
 r8 = 0x0000100000000000   r9 = 0x00007fff551865c0  r10 = 0x00007fff551865d0  r11 = 0x00007fff55186610
r12 = 0x00007fff55186670  r13 = 0x00007fff55186690  r14 = 0x00007fff55186630  r15 = 0x00007fff55186650
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV class.c:555 in mrb_get_args
==10182==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@clayton-shopify clayton-shopify changed the title from Null pointer dereference in to Null pointer dereference in mrb_get_args Mar 28, 2017

@matz matz closed this in dcbfe71 Apr 1, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment