ChaiScript Memory Corruption Vulnerability in Boxed_Number::get_as Function

A memory corruption vulnerability has been identified in ChaiScript versions through 6.1.0. The issue arises in the Boxed_Number::get_as function, located in the file include/chaiscript/dispatchkit/boxed_number.hpp. This vulnerability leads to a segmentation fault when the result of an asynchronous function call is retrieved and used, particularly during string interpolation. The problem appears to stem from improper handling of the Boxed_Value object's lifetime across threads, causing the Boxed_Value to reference invalid memory.

Impact

Exploitation of this vulnerability causes a segmentation fault, indicating a memory access violation that can lead to a crash of the application. However, such memory corruption vulnerabilities can often be exploited to execute arbitrary code under certain conditions.

Reproduction

To reproduce this vulnerability, build ChaiScript with release optimizations and AddressSanitizer (ASan) enabled. Then, run a ChaiScript file that calls an asynchronous function which returns a value. Immediately use this returned value in a string interpolation. The ASan-enabled build will report the segmentation fault, highlighting the invalid memory access caused by the improper handling of the asynchronous result.