#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007f2898e32859 in __GI_abort () at abort.c:79 #2 0x0000558795034682 in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /home/sy/Documents/jerry/jerryscript/jerry-port/default/default-fatal.c:30 #3 0x0000558794fccb4a in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /home/sy/Documents/jerry/jerryscript/jerry-core/jrt/jrt-fatals.c:63 #4 0x0000558794fccba0 in jerry_assert_fail (assertion=0x558795036db0 "object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE", file=0x558795036d68 "/home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c", function=0x558795052a90 <func.7709> "ecma_deref_object", line=158) at /home/sy/Documents/jerry/jerryscript/jerry-core/jrt/jrt-fatals.c:87 #5 0x0000558794f80b25 in ecma_deref_object (object_p=0x55879507b990 <jerry_global_heap+1872>) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c:158 #6 0x0000558794f92037 in ecma_free_value (value=1875) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1145 #7 0x0000558794f92167 in ecma_fast_free_value (value=1875) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1184 #8 0x0000558794fea587 in opfunc_call (frame_ctx_p=0x7ffcb43d6230) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:834 #9 0x0000558794ff5e4b in vm_execute (frame_ctx_p=0x7ffcb43d6230) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5271 #10 0x0000558794ff60ea in vm_run (shared_p=0x7ffcb43d63a0, this_binding_value=11, lex_env_p=0x55879507b330 <jerry_global_heap+240>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5372 #11 0x0000558794fb1369 in ecma_op_function_call_simple (func_obj_p=0x55879507b530 <jerry_global_heap+752>, this_arg_value=72, arguments_list_p=0x7ffcb43d651c, arguments_list_len=2) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1145 #12 0x0000558794fb1a19 in ecma_op_function_call (func_obj_p=0x55879507b530 <jerry_global_heap+752>, this_arg_value=72, arguments_list_p=0x7ffcb43d651c, arguments_list_len=2) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1395 #13 0x0000558794fea4a9 in opfunc_call (frame_ctx_p=0x7ffcb43d64d0) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:799 #14 0x0000558794ff5e4b in vm_execute (frame_ctx_p=0x7ffcb43d64d0) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5271 #15 0x0000558794ff60ea in vm_run (shared_p=0x7ffcb43d65e0, this_binding_value=11, lex_env_p=0x55879507b330 <jerry_global_heap+240>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5372 #16 0x0000558794fe99c1 in vm_run_global (bytecode_p=0x55879507b6a8 <jerry_global_heap+1128>, function_object_p=0x55879507b520 <jerry_global_heap+736>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:306 #17 0x0000558794f77256 in jerry_run (func_val=739) at /home/sy/Documents/jerry/jerryscript/jerry-core/api/jerry.c:588 #18 0x0000558794f73d63 in main (argc=2, argv=0x7ffcb43d69c8) at /home/sy/Documents/jerry/jerryscript/jerry-main/main-jerry.c:173 #19 0x00007f2898e340b3 in __libc_start_main (main=0x558794f73889
, argc=2, argv=0x7ffcb43d69c8, init=, fini=, rtld_fini=, stack_end=0x7ffcb43d69b8) at ../csu/libc-start.c:308 #20 0x0000558794f737ce in _start ()
Expected behavior
memcopy() in ecma-builtin-typearray-prototype.c:467 should check type of the array give backed by filter. We have already made this crash an arbitrary read/write, if you need that PoC, please contact us.
The text was updated successfully, but these errors were encountered:
During the execution of the TypedArray filter method it is possible
to have a different sized output TypedArray than the input one.
When copying the data to the output array the values must be
correctly converted to the output TypedArray's value range.
Fixes: jerryscript-project#4793
During the execution of the TypedArray filter method it is possible
to have a different sized output TypedArray than the input one.
When copying the data to the output array the values must be
correctly converted to the output TypedArray's value range.
Fixes: jerryscript-project#4793
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
During the execution of the TypedArray filter method it is possible
to have a different sized output TypedArray than the input one.
When copying the data to the output array the values must be
correctly converted to the output TypedArray's value range.
Fixes: #4793
JerryScript-DCO-1.0-Signed-off-by: Peter Gal pgal.usz@partner.samsung.com
JerryScript revision
d4231e7
Build platform
Ubuntu 20.04.3 LTS (Linux 5.11.0-34-generic x86_64)
Build steps
Test case
Output
ICE: Assertion 'object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE' failed at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c(ecma_deref_object):158.
Error: ERR_FAILED_INTERNAL_ASSERTION
Aborted (core dumped)
Backtrace
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
, argc=2, argv=0x7ffcb43d69c8, init=, fini=, rtld_fini=, stack_end=0x7ffcb43d69b8) at ../csu/libc-start.c:308#1 0x00007f2898e32859 in __GI_abort () at abort.c:79
#2 0x0000558795034682 in jerry_port_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /home/sy/Documents/jerry/jerryscript/jerry-port/default/default-fatal.c:30
#3 0x0000558794fccb4a in jerry_fatal (code=ERR_FAILED_INTERNAL_ASSERTION) at /home/sy/Documents/jerry/jerryscript/jerry-core/jrt/jrt-fatals.c:63
#4 0x0000558794fccba0 in jerry_assert_fail (assertion=0x558795036db0 "object_p->type_flags_refs >= ECMA_OBJECT_REF_ONE", file=0x558795036d68 "/home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c", function=0x558795052a90 <func.7709> "ecma_deref_object", line=158) at /home/sy/Documents/jerry/jerryscript/jerry-core/jrt/jrt-fatals.c:87
#5 0x0000558794f80b25 in ecma_deref_object (object_p=0x55879507b990 <jerry_global_heap+1872>) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-gc.c:158
#6 0x0000558794f92037 in ecma_free_value (value=1875) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1145
#7 0x0000558794f92167 in ecma_fast_free_value (value=1875) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:1184
#8 0x0000558794fea587 in opfunc_call (frame_ctx_p=0x7ffcb43d6230) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:834
#9 0x0000558794ff5e4b in vm_execute (frame_ctx_p=0x7ffcb43d6230) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5271
#10 0x0000558794ff60ea in vm_run (shared_p=0x7ffcb43d63a0, this_binding_value=11, lex_env_p=0x55879507b330 <jerry_global_heap+240>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5372
#11 0x0000558794fb1369 in ecma_op_function_call_simple (func_obj_p=0x55879507b530 <jerry_global_heap+752>, this_arg_value=72, arguments_list_p=0x7ffcb43d651c, arguments_list_len=2) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1145
#12 0x0000558794fb1a19 in ecma_op_function_call (func_obj_p=0x55879507b530 <jerry_global_heap+752>, this_arg_value=72, arguments_list_p=0x7ffcb43d651c, arguments_list_len=2) at /home/sy/Documents/jerry/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1395
#13 0x0000558794fea4a9 in opfunc_call (frame_ctx_p=0x7ffcb43d64d0) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:799
#14 0x0000558794ff5e4b in vm_execute (frame_ctx_p=0x7ffcb43d64d0) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5271
#15 0x0000558794ff60ea in vm_run (shared_p=0x7ffcb43d65e0, this_binding_value=11, lex_env_p=0x55879507b330 <jerry_global_heap+240>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:5372
#16 0x0000558794fe99c1 in vm_run_global (bytecode_p=0x55879507b6a8 <jerry_global_heap+1128>, function_object_p=0x55879507b520 <jerry_global_heap+736>) at /home/sy/Documents/jerry/jerryscript/jerry-core/vm/vm.c:306
#17 0x0000558794f77256 in jerry_run (func_val=739) at /home/sy/Documents/jerry/jerryscript/jerry-core/api/jerry.c:588
#18 0x0000558794f73d63 in main (argc=2, argv=0x7ffcb43d69c8) at /home/sy/Documents/jerry/jerryscript/jerry-main/main-jerry.c:173
#19 0x00007f2898e340b3 in __libc_start_main (main=0x558794f73889
#20 0x0000558794f737ce in _start ()
Expected behavior
memcopy() in ecma-builtin-typearray-prototype.c:467 should check type of the array give backed by filter. We have already made this crash an arbitrary read/write, if you need that PoC, please contact us.
The text was updated successfully, but these errors were encountered: