You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.
It happens at jswrap_object.c:jswrap_function_replacewith:, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.
voidjswrap_function_replaceWith(JsVar*oldFunc, JsVar*newFunc) {
if (!jsvIsFunction(newFunc)) {
jsExceptionHere(JSET_TYPEERROR, "First argument of replaceWith should be a function - ignoring");
return;
}
// If old was native or vice versa...if (jsvIsNativeFunction(oldFunc) !=jsvIsNativeFunction(newFunc)) {
if (jsvIsNativeFunction(newFunc))
oldFunc->flags |= JSV_NATIVE;
elseoldFunc->flags &= ~JSV_NATIVE;
}
// If old fn started with 'return' or vice versa...if (jsvIsFunctionReturn(oldFunc) !=jsvIsFunctionReturn(newFunc)) {
if (jsvIsFunctionReturn(newFunc))
oldFunc->flags= (oldFunc->flags&~JSV_VARTYPEMASK) |JSV_FUNCTION_RETURN;
elseoldFunc->flags= (oldFunc->flags&~JSV_VARTYPEMASK) |JSV_FUNCTION;
}
env
Ubuntu 18.04
Espruino 6ea4c0a
bug
This is a critical bug which will cause memory corruption at last, thus may cause potential remote code execution threat to the users.
It happens at
jswrap_object.c:jswrap_function_replacewith:
, so if we pass the parameter oldFunc with a null pointer, it may crash. If we provide the oldFunc with another address or another number, it may cause remote code execution.poc
The text was updated successfully, but these errors were encountered: