Skip to content

stack over flow error during parsing #1427

Closed
@hongxuchen

Description

@hongxuchen

We found with our fuzzer a stackoverflow when the input file contains many parentheses.

ASAN:DEADLYSIGNAL
=================================================================
==28915==ERROR: AddressSanitizer: stack-overflow on address 0x7fffad975fb0 (pc 0x55fb67713a27 bp 0x7fffad976050 sp 0x7fffad975f30 T0)
    #0 0x55fb67713a26 in jspeFactor src/jsparse.c:1569
    #1 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #2 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #3 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #4 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #5 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #6 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #7 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #8 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #9 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #10 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #11 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #12 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #13 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #14 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #15 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #16 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #17 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #18 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #19 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #20 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #21 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #22 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #23 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #24 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #25 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #26 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #27 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #28 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #29 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #30 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #31 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #32 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #33 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #34 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #35 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #36 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #37 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #38 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #39 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #40 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #41 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #42 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #43 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #44 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #45 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #46 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #47 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #48 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #49 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #50 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #51 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #52 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #53 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #54 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #55 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #56 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #57 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #58 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #59 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #60 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #61 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #62 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #63 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #64 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #65 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #66 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #67 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #68 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #69 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #70 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #71 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #72 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #73 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #74 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #75 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #76 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #77 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #78 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #79 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #80 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #81 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #82 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #83 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #84 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #85 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #86 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #87 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #88 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #89 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #90 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #91 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #92 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #93 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #94 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #95 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #96 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #97 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #98 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #99 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #100 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #101 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #102 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #103 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #104 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #105 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #106 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #107 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #108 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #109 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #110 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #111 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #112 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #113 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #114 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #115 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #116 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #117 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #118 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #119 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #120 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #121 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #122 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #123 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #124 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #125 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #126 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #127 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #128 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #129 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #130 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #131 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #132 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #133 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #134 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #135 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #136 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #137 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #138 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #139 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #140 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #141 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #142 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #143 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #144 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #145 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #146 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #147 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #148 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #149 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #150 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #151 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #152 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #153 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #154 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #155 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #156 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #157 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #158 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #159 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #160 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #161 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #162 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #163 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #164 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #165 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #166 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #167 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #168 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #169 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #170 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #171 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #172 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #173 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #174 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #175 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #176 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #177 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #178 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #179 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #180 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #181 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #182 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #183 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #184 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #185 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #186 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #187 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #188 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #189 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #190 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #191 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #192 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #193 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #194 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #195 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #196 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #197 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #198 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #199 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #200 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #201 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #202 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #203 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #204 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #205 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #206 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #207 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #208 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #209 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #210 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #211 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #212 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #213 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #214 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #215 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #216 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #217 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #218 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #219 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #220 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #221 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #222 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #223 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #224 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #225 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #226 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #227 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #228 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #229 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #230 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #231 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #232 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #233 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #234 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #235 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #236 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #237 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #238 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #239 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #240 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #241 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #242 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765
    #243 0x55fb67715ac6 in jspeUnaryExpression src/jsparse.c:1791
    #244 0x55fb6771616a in jspeBinaryExpression src/jsparse.c:1919
    #245 0x55fb677163c5 in jspeConditionalExpression src/jsparse.c:1955
    #246 0x55fb67716b01 in jspeAssignmentExpression src/jsparse.c:2020
    #247 0x55fb67713080 in jspeExpressionOrArrowFunction src/jsparse.c:1485
    #248 0x55fb6771407e in jspeFactor src/jsparse.c:1606
    #249 0x55fb67711548 in jspeFactorFunctionCall src/jsparse.c:1200
    #250 0x55fb6771576f in jspePostfixExpression src/jsparse.c:1765

SUMMARY: AddressSanitizer: stack-overflow src/jsparse.c:1569 in jspeFactor
==28915==ABORTING

sample input file:
so_0.txt

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions