Null pointer dereference in mrb_str_modify
Low
Vulnerability Details
The function mrb_str_modify doesn't check if s->as.heap.ptr is NULL before operating in it.
Attempt to write to a NULL pointer happens here:
```
676 RSTR_PTR(s)[s->as.heap.len] = '\0';
```
Poc:
```ruby
a = String.new
a[0]
GC.start()
a.upcase!
```
Version tested: https://github.com/mruby/mruby/blob/e1ff71029f95e3274136263adbdc51c662ec52de/src/string.c
Actions
View on HackerOneReport Stats
- Report ID: 197723
- State: Closed
- Substate: resolved
- Upvotes: 4