New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in array_copy #3591

Closed
clayton-shopify opened this Issue Apr 4, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Apr 4, 2017

The following input demonstrates a crash:

Range = Struct
Array(0..0)

ASAN report:

==73305==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fffbbdccf3d bp 0x7fff57b61490 sp 0x7fff57b61490 T0)
==73305==The signal is caused by a READ memory access.
==73305==Hint: address points to the zero page.
    #0 0x7fffbbdccf3c in _platform_memmove$VARIANT$Haswell (libsystem_platform.dylib:x86_64+0x5f3c)
    #1 0x10849b504 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d504)
    #2 0x10809767c in array_copy array.c:71
    #3 0x10809745f in mrb_ary_new_from_values array.c:80
    #4 0x10825eac5 in mrb_struct_to_a struct.c:624
    #5 0x1081ee145 in mrb_funcall_with_block vm.c:444
    #6 0x1081eaf17 in mrb_funcall_argv vm.c:461
    #7 0x10817024e in convert_type object.c:320
    #8 0x10817136a in mrb_check_convert_type object.c:356
    #9 0x1082a2aa3 in mrb_f_array (mruby:x86_64+0x10020faa3)
    #10 0x108202d88 in mrb_vm_exec vm.c:1268
    #11 0x1081f7f39 in mrb_vm_run vm.c:824
    #12 0x10822a849 in mrb_top_run vm.c:2630
    #13 0x1082fb845 in mrb_load_exec parse.y:5762
    #14 0x1082fc655 in mrb_load_file_cxt parse.y:5771
    #15 0x108094e66 in main mruby.c:227
    #16 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

==73305==Register values:
rax = 0x000000010ba21800  rbx = 0x00000001092154c0  rcx = 0x0000000000000000  rdx = 0x0000000000000008
rdi = 0x000000010ba21800  rsi = 0x0000000000000000  rbp = 0x00007fff57b61490  rsp = 0x00007fff57b61490
 r8 = 0x0000100000000000   r9 = 0x0000000000000000  r10 = 0x0000000000001052  r11 = 0x000000010ba21800
r12 = 0x00001fffeaf6c528  r13 = 0x0000000000000000  r14 = 0x0000000000000010  r15 = 0x000000010ba21800
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib:x86_64+0x5f3c) in _platform_memmove$VARIANT$Haswell
==73305==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ilsani

@matz matz closed this in bd7bf26 Apr 5, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment