stack buffer over flow inside jsvGetString

[hongxuchen]

We found some buffer overflows against commit c36d305 in jsvGetString src/jsvar.c:1194 with address sanitizer. Till now, all these crashes involve the arrow function parsing. We haven't digged into the root cause yet, but we reduced the test input as:

../Espruino-asan/espruino -e '"".r(/l/g,r=>)'

The error output is like:

==25159==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5637674b662a at pc 0x5637673a29e2 bp 0x7ffcdd48d8b0 sp 0x7ffcdd48d8a0
READ of size 1 at 0x5637674b662a thread T0
    #0 0x5637673a29e1 in jsvGetString src/jsvar.c:1194
    #1 0x5637673c2ec5 in jspeAddNamedFunctionParameter src/jsparse.c:1452
    #2 0x5637673c305b in jspeArrowFunction src/jsparse.c:1464
    #3 0x5637673be535 in jspeParseFunctionCallBrackets src/jsparse.c:488
    #4 0x5637673c0226 in jspeFunctionCall src/jsparse.c:905
    #5 0x5637673c17f3 in jspeFactorFunctionCall src/jsparse.c:1224
    #6 0x5637673c5897 in jspePostfixExpression src/jsparse.c:1766
    #7 0x5637673c5bee in jspeUnaryExpression src/jsparse.c:1792
    #8 0x5637673c6292 in jspeBinaryExpression src/jsparse.c:1920
    #9 0x5637673c64ed in jspeConditionalExpression src/jsparse.c:1956
    #10 0x5637673c6c29 in jspeAssignmentExpression src/jsparse.c:2021
    #11 0x5637673c6c4a in jspeExpression src/jsparse.c:2027
    #12 0x5637673cb068 in jspeStatement src/jsparse.c:2674
    #13 0x5637673c71c9 in jspeBlockOrStatement src/jsparse.c:2080
    #14 0x5637673c72d3 in jspParse src/jsparse.c:2092
    #15 0x5637673cc534 in jspEvaluateVar src/jsparse.c:2900
    #16 0x5637673cc88f in jspEvaluate src/jsparse.c:2932
    #17 0x5637674735c0 in main targets/linux/main.c:270
    #18 0x7f8e24086b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #19 0x56376738f0c9 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x360c9)

0x5637674b662a is located 54 bytes to the left of global variable '*.LC42' defined in 'src/jsvar.c' (0x5637674b6660) of size 5
  '*.LC42' is ascii string 'null'
0x5637674b662a is located 0 bytes to the right of global variable '*.LC41' defined in 'src/jsvar.c' (0x5637674b6620) of size 10
  '*.LC41' is ascii string 'undefined'
SUMMARY: AddressSanitizer: global-buffer-overflow src/jsvar.c:1194 in jsvGetString
Shadow bytes around the buggy address:
  0x0ac76ce8ec70: 00 00 03 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
  0x0ac76ce8ec80: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 07 f9 f9
  0x0ac76ce8ec90: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ac76ce8eca0: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
  0x0ac76ce8ecb0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 06 f9 f9
=>0x0ac76ce8ecc0: f9 f9 f9 f9 00[02]f9 f9 f9 f9 f9 f9 05 f9 f9 f9
  0x0ac76ce8ecd0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
  0x0ac76ce8ece0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
  0x0ac76ce8ecf0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ac76ce8ed00: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
  0x0ac76ce8ed10: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25159==ABORTING

[gfwilliams]

Thanks - try now.

That's embarrassing - I messed up a string copy in my most recent changes.