It appears this problem was introduced in acd3ac6.
ASAN report:
==51967==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00001d480 at pc 0x00010271a4ca bp 0x7fff5d854240 sp 0x7fff5d8539f0
WRITE of size 16 at 0x61d00001d480 thread T0
#0 0x10271a4c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
#1 0x102473db0 in stack_clear (mruby:x86_64+0x100162db0)
#2 0x1024738f0 in mrb_vm_run (mruby:x86_64+0x1001628f0)
#3 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#4 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#5 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#6 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#7 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#8 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#9 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#10 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#11 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#12 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#13 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#14 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#15 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#16 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#17 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#18 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#19 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#20 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#21 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#22 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#23 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#24 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#25 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#26 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#27 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#28 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#29 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#30 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#31 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#32 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#33 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#34 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#35 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#36 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#37 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#38 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#39 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#40 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#41 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#42 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#43 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#44 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#45 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#46 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#47 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#48 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#49 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#50 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#51 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#52 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#53 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#54 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#55 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#56 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#57 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#58 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#59 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#60 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#61 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#62 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#63 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#64 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#65 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#66 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#67 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#68 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#69 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#70 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#71 0x10246b86e in mrb_run (mruby:x86_64+0x10015a86e)
#72 0x1024a5193 in ecall (mruby:x86_64+0x100194193)
#73 0x10247c743 in mrb_vm_exec (mruby:x86_64+0x10016b743)
#74 0x1024739e6 in mrb_vm_run (mruby:x86_64+0x1001629e6)
#75 0x1024a7cdf in mrb_top_run (mruby:x86_64+0x100196cdf)
#76 0x102579dd5 in mrb_load_exec (mruby:x86_64+0x100268dd5)
#77 0x10257a725 in mrb_load_file_cxt (mruby:x86_64+0x100269725)
#78 0x102312e36 in main mruby.c:227
#79 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
0x61d00001d480 is located 0 bytes to the right of 2048-byte region [0x61d00001cc80,0x61d00001d480)
allocated by thread T0 here:
#0 0x102723520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
#1 0x1024072ff in mrb_default_allocf (mruby:x86_64+0x1000f62ff)
#2 0x102388068 in mrb_realloc_simple gc.c:203
#3 0x1023887be in mrb_realloc gc.c:217
#4 0x102389243 in mrb_malloc gc.c:238
#5 0x1023892dd in mrb_calloc gc.c:256
#6 0x102469ae2 in stack_init (mruby:x86_64+0x100158ae2)
#7 0x102466ca0 in mrb_funcall_with_block (mruby:x86_64+0x100155ca0)
#8 0x1024665da in mrb_funcall_with_block (mruby:x86_64+0x1001555da)
#9 0x102465dc7 in mrb_funcall_argv (mruby:x86_64+0x100154dc7)
#10 0x10234e1f5 in mrb_obj_new (mruby:x86_64+0x10003d1f5)
#11 0x102372e0d in mrb_exc_new_str (mruby:x86_64+0x100061e0d)
#12 0x10237b9f7 in mrb_init_exception (mruby:x86_64+0x10006a9f7)
#13 0x1023ac434 in mrb_init_core (mruby:x86_64+0x10009b434)
#14 0x1024072ae in mrb_open_core (mruby:x86_64+0x1000f62ae)
#15 0x10240748c in mrb_open_allocf (mruby:x86_64+0x1000f648c)
#16 0x102407457 in mrb_open (mruby:x86_64+0x1000f6457)
#17 0x102311d48 in main mruby.c:171
#18 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c3a00003a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3a00003a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3a00003a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3a00003a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c3a00003a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1c3a00003a90:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3a00003aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3a00003ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3a00003ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3a00003ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3a00003ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==51967==ABORTING
Abort trap: 6
The following input demonstrates a crash:
It appears this problem was introduced in acd3ac6.
ASAN report:
This issue was reported by https://hackerone.com/ssarong
The text was updated successfully, but these errors were encountered: