Skip to content

Denial of Service: Null Pointer De-reference #1821

Closed
@JeffJerseyCow

Description

@JeffJerseyCow

I've discovered a NULL pointer de-reference condition within Jerryscript.

If the bytes - "0x27 0x5c 0xe2 0x80 0xa8 0x27 0x41" are evaluated by jerry_eval a segmentation fault will occur resulting in a denial of service.

It occurs within jmem_heap_free_block when block_p->size is de-referenced.

Proof
image

The call tree is as follows (generally):

  1. jerry_eval
  2. ecma_op_eval_chars_buffer
  3. parser_parse_script
  4. parser_parse_source
  5. lexer_next_token (parses the source for strings and returns)
  6. parser_parse_statements (throws a parsing error via parser_raise_error and returns to the parser_parse_source PARSER_CATCH statement)
  7. parser_free_literals
  8. util_free_literal
  9. jmem_heap_free_block (SEGMENTATION FAULT)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUndesired behaviour

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions