When MRuby is built with MRB_INT64, the following input causes a crash:
sprintf"%*f",2147483648,Float::NAN
ASAN report:
==91193==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
#0 0x1058aa5e3 in __asan_memset (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d5e3)
#1 0x105648bd6 in mrb_str_format sprintf.c:1037
#2 0x10563a9c1 in mrb_f_sprintf sprintf.c:516
#3 0x105611393 in mrb_vm_exec vm.c:1314
#4 0x10560659f in mrb_vm_run vm.c:860
#5 0x105638a29 in mrb_top_run vm.c:2731
#6 0x105707fb5 in mrb_load_exec parse.y:5780
#7 0x1057088c5 in mrb_load_file_cxt parse.y:5789
#8 0x1054abb07 in main mruby.c:227
#9 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)
0x60c000013300 is located 0 bytes inside of 121-byte region [0x60c000013300,0x60c000013379)
allocated by thread T0 here:
#0 0x1058b3520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
#1 0x10559c015 in mrb_default_allocf state.c:60
#2 0x10551e5c8 in mrb_realloc_simple gc.c:203
#3 0x10551ed1e in mrb_realloc gc.c:217
#4 0x1055a2af8 in resize_capa string.c:140
#5 0x1055a22e5 in mrb_str_resize string.c:738
#6 0x10563bf7f in mrb_str_format sprintf.c:570
#7 0x10563a9c1 in mrb_f_sprintf sprintf.c:516
#8 0x105611393 in mrb_vm_exec vm.c:1314
#9 0x10560659f in mrb_vm_run vm.c:860
#10 0x105638a29 in mrb_top_run vm.c:2731
#11 0x105707fb5 in mrb_load_exec parse.y:5780
#12 0x1057088c5 in mrb_load_file_cxt parse.y:5789
#13 0x1054abb07 in main mruby.c:227
#14 0x7fff8c15e234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: negative-size-param (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d5e3) in __asan_memset
==91193==ABORTING
Abort trap: 6
if ((flags & FWIDTH) && need < width)
need = width;
The type of variable need is int, but the type of width is mrb_int, which is int64_t when compiling with MRB_INT64. During the comparison, need is promoted to int64_t. But it will overflow when begin assigned from width, and the following memset/memcpy will cause heap overflow.
The text was updated successfully, but these errors were encountered:
Initially I wrote that this only affected mirb. That turned out to be incorrect; my mruby build was broken. After rebuilding it now crashes in both mruby and mirb.
When MRuby is built with
MRB_INT64
, the following input causes a crash:ASAN report:
This bug was reported by https://hackerone.com/shikchen, who offered the following explanation:
The bug is here:
mruby/mrbgems/mruby-sprintf/src/sprintf.c
Lines 1034 to 1035 in 9644ad5
if ((flags & FWIDTH) && need < width) need = width;
The type of variable
need
isint
, but the type ofwidth
ismrb_int
, which isint64_t
when compiling withMRB_INT64
. During the comparison,need
is promoted toint64_t
. But it will overflow when begin assigned fromwidth
, and the following memset/memcpy will cause heap overflow.The text was updated successfully, but these errors were encountered: