Issue #15189 has been updated by nobu (Nobuyoshi Nakada).


Thank you for the report.

Your reproducers seem often duplicated, and note that `\0` is treated as the EOF in the parser and anything after it has no effect at all.

Reduced (but not smallest) code are:
```
crash01/reproducer:111r+11**-11111161111111
crash02/reproducer:1118111111111**-1111111111111111**1+1==11111
crash03/reproducer:-1111111**-1111*11 - -1111111** -111111111
crash04/reproducer:1118111111111** -1111111111111111**1+11111111111**1 ===111
crash05/reproducer:11** -111155555555555555  -55   !=5-555
crash07/reproducer:1 + 111111111**-1111811111
crash08/reproducer:18111111111**-1111111111111111**1 + 1111111111**-1111**1
crash10/reproducer:-7 - -1111111** -1111**11
crash12/reproducer:1118111111111** -1111111111111111**1 + 1111 - -1111111** -1111*111111111119
crash13/reproducer:1.0i - -1111111** -111111111
crash14/reproducer:11111**111111111**111111 * -11111111111111111111**-111111111111
crash15/reproducer:~1**1111 + -~1**~1**111
crash17/reproducer:11** -1111111**1111 /11i
crash18/reproducer:5555i**-5155 - -9111111**-1111**11
crash19/reproducer:111111 < 111111*-11111111111111111111**-1111111111111111
crash20/reproducer:1111**111-11**-11111**11
crash21/reproducer:11**-10111111119-1i -1r
```

----------------------------------------
Bug #15189: Multiple OOB reads (of size 4) in rb_bigzero_p
https://bugs.ruby-lang.org/issues/15189#change-74274

* Author: bannable (Joe Truba)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.6.0dev (2018-10-01 trunk 64894) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
An AFL fuzzing session against 6b4d78fc43 this weekend and turned up 17 crashes in rb_bigzero_p.

I suspect that all of these are the same underlying bug -- they are all a 4 byte OOB read in rb_bigzero_p -- so I'm including all of them in this single issue. If you'd like me to report each of these separately let me know and I'll happily do that.

For each reproducer, I have included:
* the reproducer
* stdout from ruby
* gdb backtrace
* valgrind report

---Files--------------------------------
crashes.rb_bigzero_p.zip (104 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>