Out-of-bound read in main_print_unhandled_exception

[paintedveil5]

On line 180 of the main-utils.c,
do { ch = source_p[pos++]; jerry_port_log (JERRY_LOG_LEVEL_ERROR, "%c", ch); } while (ch != '\n' && char_count++ < SYNTAX_ERROR_MAX_LINE_LENGTH);
will out-of-bound read at most 0x100 characters when an syntax error happened at the end of the input file.

JerryScript revision

0ffe166
(latest master - 2020.09.28.)

Build platform

Ubuntu 16.04.1 (Linux 4.15.0-117-generic x86_64)

Build steps

1. Compile with Address Sanitizer

python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --lto=off --error-message=on --system-allocator=on 

2. Compile without Address Sanitizer

python ./tools/build.py --clean --debug  --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --lto=off --error-message=on --system-allocator=on 

Test case

 //debugger.js
 try {
 } 

Execution steps

./jerry debugger.js

Output

1. Compile with Address Sanitizer

==46414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf640077b at pc 0x0804ac7c bp 0xffb3af18 sp 0xffb3af08
READ of size 1 at 0xf640077b thread T0
    #0 0x804ac66 in main_print_unhandled_exception /home/lily/Desktop/debugger/jerryscript/jerry-main/main-utils.c:196
    #1 0x80498fc in main /home/lily/Desktop/debugger/jerryscript/jerry-main/main-unix.c:142
    #2 0xf782b646 in __libc_start_main (/lib32/libc.so.6+0x18646)
    #3 0x8049320  (/home/lily/Desktop/debugger/jerryscript/build/bin/jerry+0x8049320)

0xf640077b is located 0 bytes to the right of 27-byte region [0xf6400760,0xf640077b)
allocated by thread T0 here:
    #0 0xf7a5ddee in malloc (/usr/lib32/libasan.so.2+0x96dee)
    #1 0x819498a in jerry_port_read_source /home/lily/Desktop/debugger/jerryscript/jerry-port/default/default-module.c:58
    #2 0x804aaa7 in main_print_unhandled_exception /home/lily/Desktop/debugger/jerryscript/jerry-main/main-utils.c:164
    #3 0x80498fc in main /home/lily/Desktop/debugger/jerryscript/jerry-main/main-unix.c:142
    #4 0xf782b646 in __libc_start_main (/lib32/libc.so.6+0x18646)

2. Compile without Address Sanitizer

��'��x�^		�0��Catch or finally block expected.Y��^	�'��SyntaxE�($�^	xx

^

SyntaxError: Catch or finally block expected. [debugger.js:4:1]

Expected behavior

On line 166 of the main-utils.c
/* 2. seek and print */ while (pos < source_size && curr_line < err_line) { if (source_p[pos] == '\n') { curr_line++; } pos++; }

Please consider that the error line may be larger than the test case line number. The above "try" test case has just three lines, but the error happened on line 4 (a "catch" block is needed. ) The jerry_port_read_source (path_str_p, &source_size) called in the main_print_unhandled_exception need to malloc more memory to locate an error happened out of the source_size; meanwhile, the read operation on line 180 also need to be limited by the extended error location range instead of .

[zherczeg]

Thank you for analyzing the issue, few people are doing this. This is a great help for us!

[ossy-szeged]

It is the same bug as #4212, but I leave this one open.
Additionaly info from the other issue:

affected test262-esnext tests:
language/asi/S7.9_A5.7_T1.js
language/asi/S7.9_A9_T6.js
language/asi/S7.9_A9_T7.js
language/statements/try/S12.14_A16_T1.js

@dbatyai : This part of the source was refactored by edab196.

[zherczeg]

https://nvd.nist.gov/vuln/detail/CVE-2020-29657
9.1 critical
seriously...

[rzr]

Also reported at:

https://security-tracker.debian.org/tracker/CVE-2020-29657

jerryscript-project/iotjs#1955