Heap buffer overflow in ary_fill_with_nil (regression) #3716
Description
The commit aa8121c reintroduced #3353. The same input now causes a crash again:
(Array.new)[0x7fffffff] = 1ASAN report:
==58934==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000a1a0 at pc 0x000103e0e4ca bp 0x7fff5c1fd630 sp 0x7fff5c1fcde0
WRITE of size 16 at 0x60600000a1a0 thread T0
#0 0x103e0e4c9 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9)
#1 0x1039ff145 in ary_fill_with_nil array.c:104
#2 0x103a03409 in mrb_ary_set array.c:576
#3 0x103a0de93 in mrb_ary_aset array.c:825
#4 0x103b670ad in mrb_vm_exec (mruby:x86_64+0x10016f0ad)
#5 0x103b5ba74 in mrb_vm_run (mruby:x86_64+0x100163a74)
#6 0x103b910ff in mrb_top_run (mruby:x86_64+0x1001990ff)
#7 0x103c6926d in mrb_load_exec (mruby:x86_64+0x10027126d)
#8 0x103c6a085 in mrb_load_file_cxt (mruby:x86_64+0x100272085)
#9 0x1039fa933 in main mruby.c:227
#10 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
0x60600000a1a0 is located 0 bytes to the right of 64-byte region [0x60600000a160,0x60600000a1a0)
allocated by thread T0 here:
#0 0x103e17520 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56520)
#1 0x103aef385 in mrb_default_allocf (mruby:x86_64+0x1000f7385)
#2 0x103a70348 in mrb_realloc_simple gc.c:204
#3 0x103a70a9e in mrb_realloc gc.c:218
#4 0x1039feebb in ary_expand_capa array.c:193
#5 0x103a032c0 in mrb_ary_set array.c:575
#6 0x103a0de93 in mrb_ary_aset array.c:825
#7 0x103b670ad in mrb_vm_exec (mruby:x86_64+0x10016f0ad)
#8 0x103b5ba74 in mrb_vm_run (mruby:x86_64+0x100163a74)
#9 0x103b910ff in mrb_top_run (mruby:x86_64+0x1001990ff)
#10 0x103c6926d in mrb_load_exec (mruby:x86_64+0x10027126d)
#11 0x103c6a085 in mrb_load_file_cxt (mruby:x86_64+0x100272085)
#12 0x1039fa933 in main mruby.c:227
#13 0x7fffe5638234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x4d4c9) in __asan_memcpy
Shadow bytes around the buggy address:
0x1c0c000013e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0c000013f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0c00001400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0c00001410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0c00001420: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x1c0c00001430: 00 00 00 00[fa]fa fa fa fd fd fd fd fd fd fd fd
0x1c0c00001440: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x1c0c00001450: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x1c0c00001460: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
0x1c0c00001470: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x1c0c00001480: 00 00 00 00 00 00 00 04 fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==58934==ABORTING
Abort trap: 6
This issue was reported by https://hackerone.com/flamezzz