OSV-2021-1218 Heap-buffer-overflow in value_move

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=38298 Crash type: Heap-buffer-overflow READ 8 Crash state: valuemove mrbarysplice mrbaryaset...

shopify-scripts: Still heap overflow in mrb_ary_splice

The fix of 192362 is still crashed with a different PoC. I think the cause of this bug is the same and I missed the incomplete fix, so you may be able to skip rewards for this one. Cause If I set the tail value to a specific value, then I can maintain the array size. The original fix only checks...

shopify-scripts: Heap Overflow in mrb_arb_splice

It's similar with 192235, but the root cause is different. both of mruby and mruby-engine are crashed by the following PoC. MRBINT64 ruby ary = Array.new1023 ary0x7ffffffffffffc00,0 = Array.new1024 $ gdb -q --args ./bin/mruby test2.rb Reading symbols from ./bin/mruby...done. gdb r Starting progra...