Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid read on jsvGetAddressOf #1421

Closed
hongxuchen opened this issue May 18, 2018 · 1 comment
Closed

Invalid read on jsvGetAddressOf #1421

hongxuchen opened this issue May 18, 2018 · 1 comment

Comments

@hongxuchen
Copy link

hongxuchen commented May 18, 2018
edited

We found with our fuzzer multiple invalid read errors in jsvGetAddressOf src/jsvar.c:117 on a Linux 64bit machine.

Asan results are like:

ASAN:DEADLYSIGNAL
=================================================================
==31177==ERROR: AddressSanitizer: SEGV on unknown address 0x602000333348 (pc 0x5609dd3cf645 bp 0x7ffc63aaa710 sp 0x7ffc63aaa6f0 T0)
==31177==The signal is caused by a READ memory access.
    #0 0x5609dd3cf644 in jsvGetAddressOf src/jsvar.c:117
    #1 0x5609dd3da0bb in jsvFindChildFromString src/jsvar.c:2405
    #2 0x5609dd420e45 in graphicsSetVar libs/graphics/graphics.c:129
    #3 0x5609dd4d9674 in jswrap_graphics_clear libs/graphics/jswrap_graphics.c:293
    #4 0x5609dd3eac70 in jsnCallFunction src/jsnative.c:64
    #5 0x5609dd3efa3d in jspeFunctionCall src/jsparse.c:624
    #6 0x5609dd3f227e in jspeFactorFunctionCall src/jsparse.c:1224
    #7 0x5609dd3f62e3 in jspePostfixExpression src/jsparse.c:1765
    #8 0x5609dd3f663a in jspeUnaryExpression src/jsparse.c:1791
    #9 0x5609dd3f6cde in jspeBinaryExpression src/jsparse.c:1919
    #10 0x5609dd3f6f39 in jspeConditionalExpression src/jsparse.c:1955
    #11 0x5609dd3f7675 in jspeAssignmentExpression src/jsparse.c:2020
    #12 0x5609dd3f7696 in jspeExpression src/jsparse.c:2026
    #13 0x5609dd3fbac3 in jspeStatement src/jsparse.c:2675
    #14 0x5609dd3f7c15 in jspeBlockOrStatement src/jsparse.c:2079
    #15 0x5609dd3f7d1f in jspParse src/jsparse.c:2091
    #16 0x5609dd3fcf8f in jspEvaluateVar src/jsparse.c:2901
    #17 0x5609dd3fd2ea in jspEvaluate src/jsparse.c:2933
    #18 0x5609dd4a47e5 in main targets/linux/main.c:330
    #19 0x7f27c8e4bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #20 0x5609dd3bff69 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x35f69)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsvar.c:117 in jsvGetAddressOf
==31177==ABORTING

crash input files:
test_0.txt
test_1.txt
test_2.txt
@gfwilliams
Copy link
Member

Thanks for this! It was a missing check on the arraybuffer height (vertical_byte must be a multiple of 8 bits).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gfwilliams @hongxuchen