Bug #10991
Updated by nobu (Nobuyoshi Nakada) over 10 years ago
I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be `NULL` NULL derefs from `RSTRING_PTR()` RSTRING_PTR() (I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective. Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable). To reproduce from the command line: ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4 Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier).