shopify-scripts: Controlled address leak due to type confusion - ASLR bypass

There are several different places in which arguments are treated as fixnums without a prior check for their type. Since mrbvalue is a union that holds all value types, it can cause a mixup between an object pointer and an integer value: cpp typedef struct mrbvalue union mrbfloat f; void p; mrbin...

shopify-scripts: Crash: Overwriting NoMethodError with a builtin class crashes/corrupts memory

Uhm, while testing this I seem to have broken https://mruby.science.. Ooops, sorry about that! Anyway, here's the bug: Overwriting at least, not sure about other triggers NoMethodError with a builtin class like Fixnum or Integer leads to a rather interesting behavior. https://mruby.science didn't...