Project

General

Profile

Bug #10991

Updated by nobu (Nobuyoshi Nakada) over 9 years ago

I've fuzzed some crashes in the marshal loader. The docs are explicit about not handing untrusted data to these methods and all appear to be `NULL` NULL derefs from `RSTRING_PTR()` RSTRING_PTR() (I checked the first few by hand and ran exploitable over the remainder) so not obviously catastrophic from a security perspective. 

 Attached please find a tgz containing the input data (from afl) and gdb session output (backtrace, set args ..., run, exploitable). 

 To reproduce from the command line: 

     ruby -e 'Marshal.load(STDIN)' < id:000001,sig:11,src:003955,op:havoc,rep:4 

 Today's ruby-2.2-head is affected, and as far back as ruby-2.1.5 at least (possibly earlier). 

Back