Null pointer dereference due to TOCTTOU bug in mrb_time_initialize
High
Vulnerability Details
mrb_time_initialize sets the data pointer to NULL before parsing function arguments. Parsing function arguments can call out to ruby code to call methods to do type coercion. If the type coercion method tries to access the time object it will dereference a NULL pointer.
The following snippet results in a native crash under mruby-engine:
```
$x = Time.new
class Tmp
def to_i
$x.mday
end
end
$x.initialize Tmp.new
```
Attached is a patch to mruby to fix this issue.
Actions
View on HackerOneReport Stats
- Report ID: 182274
- State: Closed
- Substate: resolved
- Upvotes: 15