You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
function echo(RegExp) {
try { (r).compile(r).compile(RegExp.prototype) } catch (err) { }
}
var suppressLastIndex = false;
var suppressRegExp = false;
var suppressIndex = false;
function safeCall(f) {
var args = [];
for (var a = 1; a < arguments.length; ++a)
args.push(arguments[a]);
try {
return f.apply(this, args);
} catch (ex) {
echo("EXCEPTION");
}
}
function dump(o) {
var sb = [];
if (o === null)
sb.push("null");
else if (o === undefined)
sb.push("undefined");
else if (o === true)
sb.push("true");
else if (o === false)
sb.push("false");
else if (typeof o === "number")
sb.push(o.toString());
else if (typeof o == "string") {
if (o.length > 8192)
sb.push("<long string>");
else {
sb.push("\"");
var start = -1;
for (var i = 0; i < o.length; i++) {
var c = o.charCodeAt(i);
if (c < 32 || c > 127 || c == '"'.charCodeAt(0) || c == '\\'.charCodeAt(0)) {
if (start >= 0)
sb.push(o.substring(start, i));
start = -1;
sb.push("\\u");
sb.push(String.fromCharCode(hex.charCodeAt((c >> 12) & 0xf)));
sb.push(String.fromCharCode(hex.charCodeAt((c >> 8) & 0xf)));
sb.push(String.fromCharCode(hex.charCodeAt((c >> 4) & 0xf)));
sb.push(String.fromCharCode(hex.charCodeAt((c >> 0) & 0xf)));
}
else {
if (start < 0)
start = i;
}
}
if (start >= 0)
sb.push(o.substring(start, o.length));
sb.push("\"");
}
}
else if (o instanceof RegExp) {
var body = o.source;
sb.push("/");
var start = -1;
for (var i = 0; i < body.length; i++) {
var c = body.charCodeAt(i);
if (c < 32 || c > 127) {
if (start >= 0)
sb.push(body.substring(start, i));
start = -1;
sb.push("\\u");
sb.push(String.fromCharCode(hex.charCodeAt((c >> 12) & 0xf)));
sb.push(String.fromCharCode(hex.charCodeAt((c >> 8) & 0xf)));
sb.push(String.fromCharCode(hex.charCodeAt((c >> 4) & 0xf)));
sb.push(String.fromCharCode(hex.charCodeAt((c >> 0) & 0xf)));
}
else {
if (start < 0)
start = i;
}
}
if (start >= 0)
sb.push(body.substring(start, body.length));
sb.push("/");
if (o.global)
sb.push("g");
if (o.ignoreCase)
sb.push("i");
if (o.multiline)
sb.push("m");
if (!suppressLastIndex && o.lastIndex !== undefined) {
sb.push(" /*lastIndex=");
sb.push(o.lastIndex);
sb.push("*/ ");
}
}
else if (o.length !== undefined) {
sb.push("[");
for (var i = 0; i < o.length; i++) {
if (i > 0)
sb.push(",");
sb.push(dump(o[i]));
}
sb.push("]");
if (!suppressIndex && (o.input !== undefined || o.index !== undefined))
{
sb.push(" /*input=");
sb.push(dump(o.input));
sb.push(", index=");
sb.push(dump(o.index));
sb.push("*/ ");
}
}
else if (o.toString !== undefined) {
sb.push("<object with toString>");
}
else
sb.push(o.toString());
return sb.join("");
}
function pre(w, origargs, n) {
var sb = [w];
sb.push("(");
for (var i = 0; i < n; i++) {
if (i > 0) sb.push(", ");
sb.push(dump(origargs[i]));
}
if (origargs.length > n) {
sb.push(", ");
sb.push(dump(origargs[n]));
origargs[0].lastIndex = origargs[n];
}
sb.push(");");
echo(sb.join(""));
}
function post(r) {
if (!suppressLastIndex) {
echo("r.lastIndex=" + dump(r.lastIndex));
}
if (!suppressRegExp) {
var sb = [];
sb.push("RegExp.${_,1,...,9}=[");
sb.push(dump(RegExp.$_));
for (var i = 1; i <= 9; i++) {
sb.push(",");
sb.push(dump(RegExp["$" + i]));
}
sb.push("]");
echo(sb.join(""));
}
}
function exec(r, s) {
pre("exec", arguments, 2);
echo(dump(r.exec(s)));
post(r);
}
function test(r, s) {
pre("test", arguments, 2);
echo(dump(r.test(s)));
post(r);
}
function replace(r, s, o) {
pre("replace", arguments, 3);
echo(dump(s.replace(r, o)));
post(r);
}
function split(r, s) {
pre("split", arguments, 2);
echo(dump(s.split(r)));
post(r);
}
function match(r, s) {
pre("match", arguments, 2);
echo(dump(s.match(r)));
post(r);
}
function search(r, s) {
pre("search", arguments, 2);
echo(dump(s.search(r)));
post(r);
}
function bogus(r, o) {
echo("bogus(" + dump(r) + ", " + dump(o) + ");");
try { new RegExp(r, o); echo("FAILED"); } catch (e) { echo("PASSED"); }
}
var r, s;
r = /a*/g;
s = "cdsddfs";
exec(r, s);
exec(r, s);
Output
=================================================================
==80830==ERROR: AddressSanitizer: heap-use-after-free on address 0xf6502022 at pc 0x08073345 bp 0xffe00ad8 sp 0xffe00ac8
READ of size 2 at 0xf6502022 thread T0
#0 0x8073344 in ecma_bytecode_ref /home/jerryscript/jerry-core/ecma/base/ecma-helpers.c:1344
#1 0x80b41fb in ecma_op_create_regexp_from_bytecode /home/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:362
#2 0x8133fe1 in ecma_builtin_regexp_prototype_compile /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:320
#3 0x813455b in ecma_builtin_regexp_prototype_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:567
#4 0x808281d in ecma_builtin_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1216
#5 0x80829c3 in ecma_builtin_dispatch_call /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1240
#6 0x8098e38 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:845
#7 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#8 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#9 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#10 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#11 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#12 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#13 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#14 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#15 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#16 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#17 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#18 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#19 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#20 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#21 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#22 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#23 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#24 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#25 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#26 0x80f9aff in vm_run_global /home/jerryscript/jerry-core/vm/vm.c:339
#27 0x804def4 in jerry_run /home/jerryscript/jerry-core/api/jerry.c:579
#28 0x804acbf in main /home/jerryscript/jerry-main/main-unix.c:759
#29 0xf7888646 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18646)
#30 0x8048fb0 (/home/jerryscript/build/bin/jerry+0x8048fb0)
0xf6502022 is located 2 bytes inside of 24-byte region [0xf6502020,0xf6502038)
freed by thread T0 here:
#0 0xf7abda84 in free (/usr/lib32/libasan.so.2+0x96a84)
#1 0x80c2885 in jmem_heap_free_block_internal /home/jerryscript/jerry-core/jmem/jmem-heap.c:476
#2 0x80c2c1d in jmem_heap_free_block /home/jerryscript/jerry-core/jmem/jmem-heap.c:685
#3 0x80738ff in ecma_bytecode_deref /home/jerryscript/jerry-core/ecma/base/ecma-helpers.c:1467
#4 0x8133fd0 in ecma_builtin_regexp_prototype_compile /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:319
#5 0x813455b in ecma_builtin_regexp_prototype_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:567
#6 0x808281d in ecma_builtin_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1216
#7 0x80829c3 in ecma_builtin_dispatch_call /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1240
#8 0x8098e38 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:845
#9 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#10 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#11 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#12 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#13 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#14 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#15 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#16 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#17 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#18 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#19 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#20 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#21 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#22 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#23 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#24 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#25 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#26 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#27 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#28 0x80f9aff in vm_run_global /home/jerryscript/jerry-core/vm/vm.c:339
#29 0x804def4 in jerry_run /home/jerryscript/jerry-core/api/jerry.c:579
previously allocated by thread T0 here:
#0 0xf7abe144 in __interceptor_realloc (/usr/lib32/libasan.so.2+0x97144)
#1 0x80c2bfe in jmem_heap_realloc_block /home/jerryscript/jerry-core/jmem/jmem-heap.c:674
#2 0x80eb507 in re_compile_bytecode /home/jerryscript/jerry-core/parser/regexp/re-compiler.c:144
#3 0x80b412e in ecma_op_create_regexp_from_pattern /home/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:336
#4 0x8133ff7 in ecma_builtin_regexp_prototype_compile /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:323
#5 0x813455b in ecma_builtin_regexp_prototype_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp-prototype.c:567
#6 0x808281d in ecma_builtin_dispatch_routine /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1216
#7 0x80829c3 in ecma_builtin_dispatch_call /home/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1240
#8 0x8098e38 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:845
#9 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#10 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#11 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#12 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#13 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#14 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#15 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#16 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#17 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#18 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#19 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#20 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#21 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#22 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#23 0x8099320 in ecma_op_function_call_simple /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:943
#24 0x8099c3f in ecma_op_function_call /home/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1142
#25 0x80fb2f7 in opfunc_call /home/jerryscript/jerry-core/vm/vm.c:778
#26 0x810e095 in vm_execute /home/jerryscript/jerry-core/vm/vm.c:4690
#27 0x810e5d9 in vm_run /home/jerryscript/jerry-core/vm/vm.c:4792
#28 0x80f9aff in vm_run_global /home/jerryscript/jerry-core/vm/vm.c:339
#29 0x804def4 in jerry_run /home/jerryscript/jerry-core/api/jerry.c:579
SUMMARY: AddressSanitizer: heap-use-after-free /home/jerryscript/jerry-core/ecma/base/ecma-helpers.c:1344 ecma_bytecode_ref
Shadow bytes around the buggy address:
0x3eca03b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x3eca03c0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
0x3eca03d0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x3eca03e0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fa
0x3eca03f0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa 00 00
=>0x3eca0400: 00 fa fa fa[fd]fd fd fa fa fa fd fd fd fa fa fa
0x3eca0410: fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa
0x3eca0420: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x3eca0430: fd fd fa fa fd fd fd fd fa fa fd fd fd fa fa fa
0x3eca0440: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
0x3eca0450: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==80830==ABORTING
Credits: This vulnerability is detected by chong from OWL337.
The text was updated successfully, but these errors were encountered:
JerryScript revision
da5b058
Build platform
Ubuntu 16.04.6 LTS (Linux 4.15.0-99-generic x86_64)
Build steps
Test case
Output
Credits: This vulnerability is detected by chong from OWL337.
The text was updated successfully, but these errors were encountered: