Skip to content

Null pointer dereference in ary_concat #3580

Closed
@clayton-shopify

Description

@clayton-shopify

The following input demonstrates a crash:

N *case
when nil
->()do end
def e()end
end#

ASAN report:

==56546==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0001083ee4ab bp 0x7fff5780e4f0 sp 0x7fff5780e410 T0)
==56546==The signal is caused by a READ memory access.
==56546==Hint: address points to the zero page.
    #0 0x1083ee4aa in ary_concat array.c:265
    #1 0x1083ee364 in mrb_ary_concat array.c:284
    #2 0x108572ebc in mrb_vm_exec vm.c:2304
    #3 0x10854cf49 in mrb_vm_run vm.c:824
    #4 0x10857f859 in mrb_top_run vm.c:2630
    #5 0x108650845 in mrb_load_exec parse.y:5762
    #6 0x108651655 in mrb_load_file_cxt parse.y:5771
    #7 0x1083e9e76 in main mruby.c:227
    #8 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==56546==Register values:
rax = 0x000000007ffffffe  rbx = 0x00007fff5780e560  rcx = 0x0000000000000018  rdx = 0x0000000000000018
rdi = 0x0000100000000000  rsi = 0x0000100000000003  rbp = 0x00007fff5780e4f0  rsp = 0x00007fff5780e410
 r8 = 0x0000100000000000   r9 = 0x0000100000000000  r10 = 0x0000000109569a48  r11 = 0x6d75ac53ed8a002a
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffeaf02a84  r14 = 0xf2f20000f2f2f2f2  r15 = 0xf2f2f2f2f2040000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV array.c:265 in ary_concat
==56546==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/mg36

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions