mruby array.c ary_fill_exec out-of-bounds write

...

EUVD-2019-11870

Malware in sbrugna...

in mruby/mruby

Description There is a NULL Pointer Dereference in aryconcat array.c:301. This bug has been found on mruby lastest commit hash ecb28f4bf463483cf914c799d086b0cfff997aee on Ubuntu 20.04 for x8664/amd64. Proof of Concept The crash is not reproducible in a debug build, so a release build config must ...

CVE-2019-2228

In arrayfind of array.c, there is a possible out-of-bounds read due to an incorrect bounds check. This could lead to local information disclosure in the printer spooler with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:...

Out-of-bounds

In arrayfind of array.c, there is a possible out-of-bounds read due to an incorrect bounds check. This could lead to local information disclosure in the printer spooler with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions:...

shopify-scripts: Null pointer dereference in ary_concat

PoC === The following demonstrates a crash: def f end @a = f &:s Debug info ========== mruby crashes in array.c:260 due to a null pointer dereference. 256│ aryconcatmrbstate mrb, struct RArray a, struct RArray a2 257│ 258│ mrbint len; 259│ 260├ if a2-len ARYMAXSIZE - a-len 261│ mrbraisemrb,...

shopify-scripts: Heap Overflow in mrb_arb_splice

It's similar with 192235, but the root cause is different. both of mruby and mruby-engine are crashed by the following PoC. MRBINT64 ruby ary = Array.new1023 ary0x7ffffffffffffc00,0 = Array.new1024 $ gdb -q --args ./bin/mruby test2.rb Reading symbols from ./bin/mruby...done. gdb r Starting progra...