Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Denial of Service: Null Pointer De-reference #1821

Closed
JeffJerseyCow opened this issue May 13, 2017 · 1 comment
Closed

Denial of Service: Null Pointer De-reference #1821

JeffJerseyCow opened this issue May 13, 2017 · 1 comment
Labels
bug Undesired behaviour

Comments

@JeffJerseyCow
Copy link

I've discovered a NULL pointer de-reference condition within Jerryscript.

If the bytes - "0x27 0x5c 0xe2 0x80 0xa8 0x27 0x41" are evaluated by jerry_eval a segmentation fault will occur resulting in a denial of service.

It occurs within jmem_heap_free_block when block_p->size is de-referenced.

Proof
image

The call tree is as follows (generally):

  1. jerry_eval
  2. ecma_op_eval_chars_buffer
  3. parser_parse_script
  4. parser_parse_source
  5. lexer_next_token (parses the source for strings and returns)
  6. parser_parse_statements (throws a parsing error via parser_raise_error and returns to the parser_parse_source PARSER_CATCH statement)
  7. parser_free_literals
  8. util_free_literal
  9. jmem_heap_free_block (SEGMENTATION FAULT)
@LaszloLango LaszloLango added the bug Undesired behaviour label May 22, 2017
@LaszloLango
Copy link
Contributor

@JeffJerseyCow thanks for the bug report and sorry for the late answer. I can confirm this is a valid bug. We'll fix it.

zherczeg added a commit to zherczeg/jerryscript that referenced this issue May 22, 2017
Fixes jerryscript-project#1821.

JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
zherczeg added a commit that referenced this issue May 22, 2017
Fixes #1821.

JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg zherczeg.u-szeged@partner.samsung.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Undesired behaviour
Projects
None yet
Development

No branches or pull requests

2 participants