OSV-2022-1163 Negative-size-param in mrb_str_format

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53183 Crash type: Negative-size-param Crash state: mrbstrformat mrbfsprintf mrbvmexec...

OSV-2021-849 Negative-size-param in mrb_str_format

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35109 Crash type: Negative-size-param Crash state: mrbstrformat mrbfsprintf mrbvmexec...

OSV-2021-794 Heap-buffer-overflow in mrb_format_float

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34652 Crash type: Heap-buffer-overflow WRITE 1 Crash state: mrbformatfloat fmtfloat mrbstrformat...

Signed integer overflow in mrb_str_format

The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrbstrresize function in string.c does not check for a negative length...

shopify-scripts: Invalid memory access in `mrb_str_format`

Only affects mruby because mruby-engine doesn't have sprintf. I should have filed this last friday before I went to the pub, so missed out on higher bounties. Oh well! Crash file is: sprintf"%1$c", 0 Crash is: $ lldb ./bin/mruby ../crash.rb lldb target create "./bin/mruby" Current executable set ...