Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in mrb_str_to_inum #3581

Closed
clayton-shopify opened this issue Apr 3, 2017 · 0 comments
Closed

Null pointer dereference in mrb_str_to_inum #3581

clayton-shopify opened this issue Apr 3, 2017 · 0 comments

Comments

@clayton-shopify
Copy link
Contributor

The following input demonstrates a crash:

def method_missing(*)
  false
end

def to_str()
  ""
end

Integer(a,2)

ASAN report:

==56841==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x00010c93c7d6 bp 0x7fff533c9030 sp 0x7fff533c8e60 T0)
==56841==The signal is caused by a READ memory access.
==56841==Hint: address points to the zero page.
    #0 0x10c93c7d5 in mrb_str_to_inum string.c:2257
    #1 0x10c9100ea in mrb_convert_to_integer object.c:548
    #2 0x10ca3b78f in mrb_f_integer (mruby:x86_64+0x10020e78f)
    #3 0x10c99cd98 in mrb_vm_exec vm.c:1268
    #4 0x10c991f49 in mrb_vm_run vm.c:824
    #5 0x10c9c4859 in mrb_top_run vm.c:2630
    #6 0x10ca95845 in mrb_load_exec parse.y:5762
    #7 0x10ca96655 in mrb_load_file_cxt parse.y:5771
    #8 0x10c82ee76 in main mruby.c:227
    #9 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==56841==Register values:
rax = 0x0000000000000001  rbx = 0x00007fff533c8ec0  rcx = 0x0000000000000001  rdx = 0x0000100000000000
rdi = 0x0000100000000000  rsi = 0x0000100000000000  rbp = 0x00007fff533c9030  rsp = 0x00007fff533c8e60
 r8 = 0x000062f000000010   r9 = 0x0000100000000000  r10 = 0x26cf1d925a730000  r11 = 0xffffffffffffffc0
r12 = 0xf2f20000f1f1f1f1  r13 = 0x00001fffea67a084  r14 = 0x00007fff533c90c0  r15 = 0x00007fff533c90e0
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV string.c:2257 in mrb_str_to_inum
==56841==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ston3

@matz matz closed this as completed in db47ae5 Apr 10, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant