Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in Array.prototype.push() after resize. #152

Closed
xeioex opened this issue May 7, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@xeioex
Copy link
Contributor

commented May 7, 2019

var v0=[], i = 0; 
 
while (i++ < 100) {
    v0.push(v0.shift(0));
} 
$ njs test.js
==13374==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c7d0 at pc 0x000000447165 bp 0x7ffd25e422b0 sp 0x7ffd25e422a
0
WRITE of size 16 at 0x60d00000c7d0 thread T0
    #0 0x447164 in njs_array_prototype_push njs/njs_array.c:679
    #1 0x45f1f2 in njs_function_native_call njs/njs_function.c:587
    #2 0x41bd8f in njs_vmcode_function_call njs/njs_vm.c:2061
    #3 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159
    #4 0x412be5 in njs_vm_start njs/njs.c:594
    #5 0x4049a7 in njs_process_script njs/njs_shell.c:770
    #6 0x403f7d in njs_process_file njs/njs_shell.c:619
    #7 0x402aa9 in main njs/njs_shell.c:281

0x60d00000c7d0 is located 0 bytes to the right of 128-byte region [0x60d00000c750,0x60d00000c7d0)
allocated by thread T0 here:
    #0 0x7f297b5a5076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x4b5c7d in nxt_memalign nxt/nxt_malloc.c:26
    #2 0x4100ec in njs_align njs/njs.c:41
    #3 0x40b5aa in nxt_mp_alloc_large nxt/nxt_mp.c:594
    #4 0x40b3cf in nxt_mp_align nxt/nxt_mp.c:353
    #5 0x444eb8 in njs_array_alloc njs/njs_array.c:148
    #6 0x4145ee in njs_vmcode_array njs/njs_vm.c:342
    #7 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159
    #8 0x412be5 in njs_vm_start njs/njs.c:594
    #9 0x4049a7 in njs_process_script njs/njs_shell.c:770
    #10 0x403f7d in njs_process_file njs/njs_shell.c:619
    #11 0x402aa9 in main njs/njs_shell.c:281
SUMMARY: AddressSanitizer: heap-buffer-overflow njs/njs_array.c:679 njs_array_prototype_push
Shadow bytes around the buggy address:
  0x0c1a7fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98e0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
=>0x0c1a7fff98f0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
  0x0c1a7fff9900: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff9910: fd fd fd fd fa fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1a7fff9930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a7fff9940: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa

Minified test from fluff report.

@xeioex xeioex changed the title heap-buffer-overflow in Array.prototype.push(). heap-buffer-overflow in Array.prototype.push() after resize. May 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.