Segmentation fault at mrb_vm_exec #4973
Description
When the following mruby code is executed with mruby in
version c91c9e2, mruby crashes because of a segmentation violation:
#This input causes mruby to crash
#this bug was found using nautilus 2.0: https://github.com/nautilus-fuzz/nautilus
b="a"
c={1=>1, 2=>"foo", "foo"=>nil, nil=> nil}
b = b.sub(b){|| def b.instance_eval()
end
}
b = c.method(b){|| }
b = b.call(){||}
ASAN output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==65641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000062cfcc bp 0x7ffeb1da0570 sp 0x7ffeb1d94620 T0)
==65641==The signal is caused by a READ memory access.
==65641==Hint: address points to the zero page.
#0 0x62cfcb in mrb_vm_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x62cfcb)
#1 0x61c3d4 in mrb_vm_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x61c3d4)
#2 0x67323f in mrb_top_run (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x67323f)
#3 0x5eda0d in mrb_load_exec (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x5eda0d)
#4 0x5ee71d in mrb_load_file_cxt (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x5ee71d)
#5 0x4c56df in main (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x4c56df)
#6 0x7f2f635fa1e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16
#7 0x41c68d in _start (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x41c68d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/fuzzing/targets/binary_backups/mruby_current_ASAN_no_instrumentation+0x62cfcb) in mrb_vm_exec
==65641==ABORTING