We found some buffer overflows against commit c36d305 in jsvGetString src/jsvar.c:1194 with address sanitizer. Till now, all these crashes involve the arrow function parsing. We haven't digged into the root cause yet, but we reduced the test input as:
../Espruino-asan/espruino -e '"".r(/l/g,r=>)'
The error output is like:
==25159==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5637674b662a at pc 0x5637673a29e2 bp 0x7ffcdd48d8b0 sp 0x7ffcdd48d8a0
READ of size 1 at 0x5637674b662a thread T0
#0 0x5637673a29e1 in jsvGetString src/jsvar.c:1194
#1 0x5637673c2ec5 in jspeAddNamedFunctionParameter src/jsparse.c:1452
#2 0x5637673c305b in jspeArrowFunction src/jsparse.c:1464
#3 0x5637673be535 in jspeParseFunctionCallBrackets src/jsparse.c:488
#4 0x5637673c0226 in jspeFunctionCall src/jsparse.c:905
#5 0x5637673c17f3 in jspeFactorFunctionCall src/jsparse.c:1224
#6 0x5637673c5897 in jspePostfixExpression src/jsparse.c:1766
#7 0x5637673c5bee in jspeUnaryExpression src/jsparse.c:1792
#8 0x5637673c6292 in jspeBinaryExpression src/jsparse.c:1920
#9 0x5637673c64ed in jspeConditionalExpression src/jsparse.c:1956
#10 0x5637673c6c29 in jspeAssignmentExpression src/jsparse.c:2021
#11 0x5637673c6c4a in jspeExpression src/jsparse.c:2027
#12 0x5637673cb068 in jspeStatement src/jsparse.c:2674
#13 0x5637673c71c9 in jspeBlockOrStatement src/jsparse.c:2080
#14 0x5637673c72d3 in jspParse src/jsparse.c:2092
#15 0x5637673cc534 in jspEvaluateVar src/jsparse.c:2900
#16 0x5637673cc88f in jspEvaluate src/jsparse.c:2932
#17 0x5637674735c0 in main targets/linux/main.c:270
#18 0x7f8e24086b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#19 0x56376738f0c9 in _start (/home/hongxu/tests/Espruino-asan/espruino+0x360c9)
0x5637674b662a is located 54 bytes to the left of global variable '*.LC42' defined in 'src/jsvar.c' (0x5637674b6660) of size 5
'*.LC42' is ascii string 'null'
0x5637674b662a is located 0 bytes to the right of global variable '*.LC41' defined in 'src/jsvar.c' (0x5637674b6620) of size 10
'*.LC41' is ascii string 'undefined'
SUMMARY: AddressSanitizer: global-buffer-overflow src/jsvar.c:1194 in jsvGetString
Shadow bytes around the buggy address:
0x0ac76ce8ec70: 00 00 03 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
0x0ac76ce8ec80: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 00 07 f9 f9
0x0ac76ce8ec90: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0ac76ce8eca0: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 07
0x0ac76ce8ecb0: f9 f9 f9 f9 00 06 f9 f9 f9 f9 f9 f9 00 06 f9 f9
=>0x0ac76ce8ecc0: f9 f9 f9 f9 00[02]f9 f9 f9 f9 f9 f9 05 f9 f9 f9
0x0ac76ce8ecd0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
0x0ac76ce8ece0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 01 f9 f9
0x0ac76ce8ecf0: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0ac76ce8ed00: f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
0x0ac76ce8ed10: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25159==ABORTING
The text was updated successfully, but these errors were encountered:
We found some buffer overflows against commit c36d305 in
jsvGetStringsrc/jsvar.c:1194 with address sanitizer. Till now, all these crashes involve the arrow function parsing. We haven't digged into the root cause yet, but we reduced the test input as:The error output is like:
The text was updated successfully, but these errors were encountered: