Null pointer dereference in mrb_hash_dup #3609
Description
The following input demonstrates a crash:
class X < Hash
def initialize
end
end
X.new.dupASAN report:
==82906==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0001078722a7 bp 0x7fff58422590 sp 0x7fff58422080 T0)
==82906==The signal is caused by a READ memory access.
==82906==Hint: address points to the zero page.
#0 0x1078722a6 in mrb_hash_dup hash.c:241
#1 0x107944c24 in mrb_vm_exec vm.c:1276
#2 0x107939dbf in mrb_vm_run vm.c:829
#3 0x10796c8d9 in mrb_top_run vm.c:2655
#4 0x107a3dc65 in mrb_load_exec parse.y:5780
#5 0x107a3e5b5 in mrb_load_file_cxt parse.y:5789
#6 0x1077d60e6 in main mruby.c:227
#7 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)
==82906==Register values:
rax = 0x0000000000000004 rbx = 0x00007fff58422180 rcx = 0x000060400001e9d0 rdx = 0x0000000000000004
rdi = 0x0000100000000000 rsi = 0x0000100000000000 rbp = 0x00007fff58422590 rsp = 0x00007fff58422080
r8 = 0x00001c0800003d00 r9 = 0x0000100000000000 r10 = 0x0000000000000080 r11 = 0x0000000000000000
r12 = 0x00007fff58422140 r13 = 0x00007fff58422160 r14 = 0x00007fff58422100 r15 = 0x00007fff58422120
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV hash.c:241 in mrb_hash_dup
==82906==ABORTING
Abort trap: 6
This issue was reported by https://hackerone.com/flamezzz