Project

General

Profile

Actions

Bug #15189

closed

Multiple OOB reads (of size 4) in rb_bigzero_p

Added by bannable (Joe Truba) over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.6.0dev (2018-10-01 trunk 64894) [x86_64-linux]
[ruby-core:89239]

Description

An AFL fuzzing session against 6b4d78fc43 this weekend and turned up 17 crashes in rb_bigzero_p.

I suspect that all of these are the same underlying bug -- they are all a 4 byte OOB read in rb_bigzero_p -- so I'm including all of them in this single issue. If you'd like me to report each of these separately let me know and I'll happily do that.

For each reproducer, I have included:

  • the reproducer
  • stdout from ruby
  • gdb backtrace
  • valgrind report

Files

crashes.rb_bigzero_p.zip (104 KB) crashes.rb_bigzero_p.zip bannable (Joe Truba), 10/01/2018 07:58 PM

Related issues 1 (0 open1 closed)

Has duplicate Ruby master - Bug #15191: Segfault in bignum.c bigtrunc()ClosedActions
Actions

Also available in: Atom PDF