This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.
It happens at jswrap_object.c:jswrap_function_replacewith:, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.
voidjswrap_function_replaceWith(JsVar *oldFunc, JsVar *newFunc) {
if (!jsvIsFunction(newFunc)) {
jsExceptionHere(JSET_TYPEERROR, "First argument of replaceWith should be a function - ignoring");
return;
}
// If old was native or vice versa...if (jsvIsNativeFunction(oldFunc) != jsvIsNativeFunction(newFunc)) {
if (jsvIsNativeFunction(newFunc))
oldFunc->flags |= JSV_NATIVE;
else
oldFunc->flags &= ~JSV_NATIVE;
}
// If old fn started with 'return' or vice versa...if (jsvIsFunctionReturn(oldFunc) != jsvIsFunctionReturn(newFunc)) {
if (jsvIsFunctionReturn(newFunc))
oldFunc->flags = (oldFunc->flags&~JSV_VARTYPEMASK) |JSV_FUNCTION_RETURN;
else
oldFunc->flags = (oldFunc->flags&~JSV_VARTYPEMASK) |JSV_FUNCTION;
}
env
Ubuntu 18.04
Espruino 6ea4c0a
bug
This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.
It happens at
jswrap_object.c:jswrap_function_replacewith:, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.poc
The text was updated successfully, but these errors were encountered: