AddressSanitizer: global-buffer-overflow xsBigInt.c:936 in fxBigInt_ffs

[arirubinstein]

Build environment: macOS
Target device: sdk

Version:

4998482db58a7cd216c75634e42db09835402da2

poc.js

function main() {
const v2 = new ArrayBuffer();
const v3 = BigInt.fromArrayBuffer(v2);
const v4 = v3 % v3;
gc();
}
main();

Invocation xst poc.js

STDOUT: 
[COV] no shared memory bitmap available, skipping
[COV] edge counters initialized. Shared memory: (null) with 22796 edges

STDERR: 
=================================================================
==78966==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000102b56abc at pc 0x0001026df1b8 bp 0x00016d78ebb0 sp 0x00016d78eba8
READ of size 4 at 0x000102b56abc thread T0
    #0 0x1026df1b4 in fxBigInt_ffs xsBigInt.c:936
    #1 0x1026dcea4 in fxBigInt_udiv xsBigInt.c:1781
    #2 0x1026e7230 in fxBigInt_rem xsBigInt.c:1694
    #3 0x10297fa8c in fxToNumericNumberBinary xsRun.c:4694
    #4 0x10295dfbc in fxRunID xsRun.c:3444
    #5 0x102984f7c in fxRunScript xsRun.c:4787
    #6 0x102b25478 in fxRunProgramFile xst.c:1866
    #7 0x102b200b8 in main xst.c:332
    #8 0x102ebd084 in start+0x200 (dyld:arm64e+0x5084)

0x000102b56abc is located 36 bytes to the left of global variable '__const.fxBigintToString.data' defined in '/Users/ari/fuzzing/moddable/xs/sources/xsBigInt.c' (0x102b56ae0) of size 4
0x000102b56abc is located 4 bytes to the left of global variable 'gxDataZero' defined in '/Users/ari/fuzzing/moddable/xs/sources/xsBigInt.c:58:12' (0x102b56ac0) of size 4
0x000102b56abc is located 24 bytes to the right of global variable 'gxDataOne' defined in '/Users/ari/fuzzing/moddable/xs/sources/xsBigInt.c:57:12' (0x102b56aa0) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow xsBigInt.c:936 in fxBigInt_ffs
Shadow bytes around the buggy address:
  0x00702058ad00: f9 f9 f9 f9 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9
  0x00702058ad10: 02 f9 f9 f9 01 f9 f9 f9 00 00 00 00 00 00 00 00
  0x00702058ad20: 00 00 00 00 03 f9 f9 f9 01 f9 f9 f9 00 00 00 00
  0x00702058ad30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00702058ad40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x00702058ad50: 00 00 00 00 04 f9 f9[f9]04 f9 f9 f9 04 f9 f9 f9
  0x00702058ad60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00702058ad70: 00 00 00 00 00 00 00 00 01 f9 f9 f9 00 00 00 00
  0x00702058ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x00702058ad90: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
  0x00702058ada0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==78966==ABORTING

Status: 
pid 78966 SIGABRT (signal 6)