JerryScript revision
Build platform
Linux-4.15.0-51-generic-x86_64-with-Ubuntu-18.04-bionic
Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on --logging=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset
Test case:
new (new Object()).constructor().constructor('abcdefghi').repeat(-4956799914495204378)Backtrace:
=================================================================
==28205==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4afec00 at pc 0xf79aa587 bp 0xff8293a8 sp 0xff828f78
WRITE of size 9 at 0xf4afec00 thread T0
#0 0xf79aa586 (/usr/lib32/libasan.so.5+0x9c586)
#1 0x5665fd8c in ecma_string_copy_to_cesu8_buffer jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:1173
#2 0x56704cbf in ecma_builtin_string_prototype_object_repeat jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:2169
#3 0x566fd38d in ecma_builtin_string_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.inc.h:59
#4 0x5667e6e8 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1016
#5 0x5667e946 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1041
#6 0x5668f720 in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:727
#7 0x566c60fd in opfunc_call jerryscript/jerry-core/vm/vm.c:572
#8 0x566d6bc6 in vm_execute jerryscript/jerry-core/vm/vm.c:3574
#9 0x566d746a in vm_run jerryscript/jerry-core/vm/vm.c:3694
#10 0x566c5402 in vm_run_global jerryscript/jerry-core/vm/vm.c:273
#11 0x56647c11 in jerry_run jerryscript/jerry-core/api/jerry.c:550
#12 0x5664490b in main jerryscript/jerry-main/main-unix.c:742
#13 0xf772e750 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1e750)
#14 0x56642190 in _start (jerryscript/build/bin/jerry+0x15190)
0xf4afec00 is located 0 bytes to the right of 7390208-byte region [0xf43f2800,0xf4afec00)
allocated by thread T0 here:
#0 0xf7a201cf in __interceptor_malloc (/usr/lib32/libasan.so.5+0x1121cf)
#1 0x566a9b46 in jmem_heap_alloc_block_internal jerryscript/jerry-core/jmem/jmem-heap.c:293
#2 0x566a9bab in jmem_heap_gc_and_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:327
#3 0x566a9c7d in jmem_heap_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:373
#4 0x56704c8a in ecma_builtin_string_prototype_object_repeat jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.c:2163
#5 0x566fd38d in ecma_builtin_string_prototype_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-string-prototype.inc.h:59
#6 0x5667e6e8 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1016
#7 0x5667e946 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1041
#8 0x5668f720 in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:727
#9 0x566c60fd in opfunc_call jerryscript/jerry-core/vm/vm.c:572
#10 0x566d6bc6 in vm_execute jerryscript/jerry-core/vm/vm.c:3574
#11 0x566d746a in vm_run jerryscript/jerry-core/vm/vm.c:3694
#12 0x566c5402 in vm_run_global jerryscript/jerry-core/vm/vm.c:273
#13 0x56647c11 in jerry_run jerryscript/jerry-core/api/jerry.c:550
#14 0x5664490b in main jerryscript/jerry-main/main-unix.c:742
#15 0xf772e750 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x1e750)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib32/libasan.so.5+0x9c586)
Shadow bytes around the buggy address:
0x3e95fd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e95fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e95fd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e95fd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3e95fd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3e95fd80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e95fd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e95fda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e95fdb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e95fdc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3e95fdd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==28205==ABORTING
Found by Fuzzinator with JsProFuzz.
JerryScript revision
Build platform
Build steps
Test case:
Backtrace:
Found by Fuzzinator with JsProFuzz.