It seems this issue was introduced in eb5a606. Prior to that commit, the program exits with LocalJumpError:unexpected break.
ASAN report:
==12392==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001f09c at pc 0x000105374c89 bp 0x7fff5a9e9130 sp 0x7fff5a9e9128
READ of size 4 at 0x60200001f09c thread T0
#0 0x105374c88 in mrb_vm_exec (mruby:x86_64+0x100167c88)
#1 0x105370886 in mrb_vm_run (mruby:x86_64+0x100163886)
#2 0x1053a49bf in mrb_top_run (mruby:x86_64+0x1001979bf)
#3 0x105476d95 in mrb_load_exec (mruby:x86_64+0x100269d95)
#4 0x1054776e5 in mrb_load_file_cxt (mruby:x86_64+0x10026a6e5)
#5 0x10520fa46 in main mruby.c:227
#6 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
0x60200001f09c is located 0 bytes to the right of 12-byte region [0x60200001f090,0x60200001f09c)
allocated by thread T0 here:
#0 0x105620520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
#1 0x105304155 in mrb_default_allocf (mruby:x86_64+0x1000f7155)
#2 0x105284de8 in mrb_realloc_simple gc.c:203
#3 0x105437f45 in codegen_realloc (mruby:x86_64+0x10022af45)
#4 0x10544861c in scope_finish (mruby:x86_64+0x10023b61c)
#5 0x10543aa7a in scope_body (mruby:x86_64+0x10022da7a)
#6 0x105425cc5 in codegen (mruby:x86_64+0x100218cc5)
#7 0x10541f3b1 in mrb_generate_code (mruby:x86_64+0x1002123b1)
#8 0x105476210 in mrb_load_exec (mruby:x86_64+0x100269210)
#9 0x1054776e5 in mrb_load_file_cxt (mruby:x86_64+0x10026a6e5)
#10 0x10520fa46 in main mruby.c:227
#11 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-buffer-overflow (mruby:x86_64+0x100167c88) in mrb_vm_exec
Shadow bytes around the buggy address:
0x1c0400003dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400003dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400003de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400003df0: fa fa fa fa fa fa fa fa fa fa 00 00 fa fa 00 00
0x1c0400003e00: fa fa 00 00 fa fa 00 06 fa fa 00 fa fa fa 00 fa
=>0x1c0400003e10: fa fa 00[04]fa fa 00 00 fa fa 00 06 fa fa 00 02
0x1c0400003e20: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 02
0x1c0400003e30: fa fa 00 06 fa fa 04 fa fa fa 00 fa fa fa 04 fa
0x1c0400003e40: fa fa 00 fa fa fa 00 00 fa fa fd fd fa fa 00 00
0x1c0400003e50: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
0x1c0400003e60: fa fa 00 06 fa fa fd fd fa fa 00 06 fa fa 05 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12392==ABORTING
Abort trap: 6
This reverts commit eb5a606 and
079f310.
The rescue stack works differently from ensure stack, so the change
caused #3686 and #3688. It might take long to solve the problems,
so that I would revert the changes for now. Fix#3688
The following input demonstrates a crash:
It seems this issue was introduced in eb5a606. Prior to that commit, the program exits with
LocalJumpError:unexpected break
.ASAN report:
This issue was reported by https://hackerone.com/flamezzz
The text was updated successfully, but these errors were encountered: