From: nobu@...
Date: 2018-10-02T16:55:38+00:00
Subject: [ruby-core:89253] [Ruby trunk Bug#15189] Multiple OOB reads (of	size 4) in rb_bigzero_p

Issue #15189 has been updated by nobu (Nobuyoshi Nakada).


I'm not sure what caused the difference, and `call_cfunc_1` does not appear in both code on my machine.
That function should be simple enough to be eliminated by tail-call optimization.

----------------------------------------
Bug #15189: Multiple OOB reads (of size 4) in rb_bigzero_p
https://bugs.ruby-lang.org/issues/15189#change-74278

* Author: bannable (Joe Truba)
* Status: Closed
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.6.0dev (2018-10-01 trunk 64894) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
An AFL fuzzing session against 6b4d78fc43 this weekend and turned up 17 crashes in rb_bigzero_p.

I suspect that all of these are the same underlying bug -- they are all a 4 byte OOB read in rb_bigzero_p -- so I'm including all of them in this single issue. If you'd like me to report each of these separately let me know and I'll happily do that.

For each reproducer, I have included:
* the reproducer
* stdout from ruby
* gdb backtrace
* valgrind report

---Files--------------------------------
crashes.rb_bigzero_p.zip (104 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>