Bug #10991
Updated by nobu (Nobuyoshi Nakada) about 9 years ago
I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be `NULL` NULL derefs from `RSTRING_PTR()` RSTRING_PTR() (I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective. Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable). To reproduce from the command line: ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4 Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier).