Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in lit_char_to_utf8_bytes #2476

Closed
dominiakm opened this issue Aug 16, 2018 · 0 comments · Fixed by #2480
Closed

Heap buffer overflow in lit_char_to_utf8_bytes #2476

dominiakm opened this issue Aug 16, 2018 · 0 comments · Fixed by #2480

Comments

@dominiakm
Copy link

Version:
4e58ccf

Build command:
python3 ./tools/build.py --clean --jerry-libc=off --system-allocator=on --profile=es2015-subset --compile-flag=-m32 --compile-flag=-fsanitize=address --strip=OFF

Testcase:
cat testcase | ./jerry

Where testcase is as following:

0
/ð/

(300a 2ff0 2f0a in hex).

Stack trace:

==2342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf580073b at pc 0x080f1a7a bp 0xffbb2b48 sp 0xffbb2b38
WRITE of size 1 at 0xf580073b thread T0
    #0 0x80f1a79 in lit_char_to_utf8_bytes jerry-core/lit/lit-char-helpers.c:377
    #1 0x811f6d8 in ecma_new_ecma_string_from_utf8_converted_to_cesu8 jerry-core/ecma/base/ecma-helpers-string.c:376
    #2 0x811f6d8 in lexer_construct_regexp_object jerry-core/parser/js/js-lexer.c:2175
    #3 0x817e286 in parser_parse_unary_expression jerry-core/parser/js/js-parser-expr.c:1116
    #4 0x817e286 in parser_parse_expression jerry-core/parser/js/js-parser-expr.c:1858
    #5 0x8193a71 in parser_parse_statements jerry-core/parser/js/js-parser-statm.c:2030
    #6 0x80effc7 in parser_parse_source.lto_priv.160 jerry-core/parser/js/js-parser.c:2368
    #7 0x804d1ef in parser_parse_script jerry-core/parser/js/js-parser.c:2881
    #8 0x804d1ef in ecma_op_eval_chars_bufferjerry-core/ecma/operations/ecma-eval.c:101
    #9 0x804d1ef in jerry_eval jerry-core/api/jerry.c:551
    #10 0x804d1ef in main jerry-main/main-unix.c:814
    #11 0xf702e636 in __libc_start_main (/lib32/libc.so.6+0x18636)
    #12 0x804f1eb  (build/bin/jerry+0x804f1eb)
rerobika pushed a commit to rerobika/jerryscript that referenced this issue Aug 20, 2018
This patch checks whether the source code is a valid UTF-8 string before evaluating it in prompt mode.
Also fixes jerryscript-project#2476.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
yichoi pushed a commit that referenced this issue Aug 21, 2018
This patch checks whether the source code is a valid UTF-8 string before evaluating it in prompt mode.
Also fixes #2476.

JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik frobert@inf.u-szeged.hu
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant