Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid read on jsiConsolePrintString #1420

Closed
hongxuchen opened this issue May 18, 2018 · 1 comment
Closed

Invalid read on jsiConsolePrintString #1420

hongxuchen opened this issue May 18, 2018 · 1 comment

Comments

@hongxuchen
Copy link

We found with our fuzzer on Linux 64bit an invalid read error on a null pointer in jsiConsolePrintString src/jsinteractive.c:224. It seems that it results from a failed sanity check on array buffer.

Address sanitizer output:

ASAN:DEADLYSIGNAL
=================================================================
==29932==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55653e7383a5 bp 0x7ffd782de7f0 sp 0x7ffd782de7e0 T0)
==29932==The signal is caused by a READ memory access.
==29932==Hint: address points to the zero page.
    #0 0x55653e7383a4 in jsiConsolePrintString src/jsinteractive.c:224
    #1 0x55653e7217fc in vcbprintf src/jsutils.c:739
    #2 0x55653e7384d0 in jsiConsolePrintf src/jsinteractive.c:248
    #3 0x55653e715f87 in _jsvTrace src/jsvar.c:3317
    #4 0x55653e7161ee in _jsvTrace src/jsvar.c:3344
    #5 0x55653e71629e in _jsvTrace src/jsvar.c:3354
    #6 0x55653e7161ee in _jsvTrace src/jsvar.c:3344
    #7 0x55653e71629e in _jsvTrace src/jsvar.c:3354
    #8 0x55653e71640a in jsvTrace src/jsvar.c:3369
    #9 0x55653e71fdb6 in jsAssertFail src/jsutils.c:362
    #10 0x55653e71b8e5 in jsvArrayBufferIteratorDataToInt src/jsvariterator.c:352
    #11 0x55653e71c0c0 in jsvArrayBufferIteratorGetIntegerValue src/jsvariterator.c:397
    #12 0x55653e75df42 in lcdSetPixels_ArrayBuffer libs/graphics/lcd_arraybuffer.c:81
    #13 0x55653e75e3b8 in lcdFillRect_ArrayBuffer libs/graphics/lcd_arraybuffer.c:108
    #14 0x55653e759f7a in graphicsFillRectDevice libs/graphics/graphics.c:202
    #15 0x55653e75a09e in graphicsFillRect libs/graphics/graphics.c:220
    #16 0x55653e8117ed in jswrap_graphics_fillRect libs/graphics/jswrap_graphics.c:312
    #17 0x55653e72436f in jsnCallFunction src/jsnative.c:231
    #18 0x55653e727a3d in jspeFunctionCall src/jsparse.c:624
    #19 0x55653e72a27e in jspeFactorFunctionCall src/jsparse.c:1224
    #20 0x55653e72e2e3 in jspePostfixExpression src/jsparse.c:1765
    #21 0x55653e72e63a in jspeUnaryExpression src/jsparse.c:1791
    #22 0x55653e72e91e in __jspeBinaryExpression src/jsparse.c:1856
    #23 0x55653e72eceb in jspeBinaryExpression src/jsparse.c:1919
    #24 0x55653e72ef39 in jspeConditionalExpression src/jsparse.c:1955
    #25 0x55653e72f675 in jspeAssignmentExpression src/jsparse.c:2020
    #26 0x55653e72f696 in jspeExpression src/jsparse.c:2026
    #27 0x55653e733ac3 in jspeStatement src/jsparse.c:2675
    #28 0x55653e72fc15 in jspeBlockOrStatement src/jsparse.c:2079
    #29 0x55653e72fd1f in jspParse src/jsparse.c:2091
    #30 0x55653e734f8f in jspEvaluateVar src/jsparse.c:2901
    #31 0x55653e7352ea in jspEvaluate src/jsparse.c:2933
    #32 0x55653e7dc7e5 in main targets/linux/main.c:330
    #33 0x7f2f421a5b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #34 0x55653e6f7f69 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x35f69)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsinteractive.c:224 in jsiConsolePrintString
==29932==ABORTING

crash input files:
test.txt
test2.txt

@gfwilliams
Copy link
Member

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants