Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
var v0=[] var x = new Array(10) var i = 0 while (i < 100) { v0.shift(v0.splice(0, "AAAA", "BBBB")) i++; }
$ njs test.js ==21010==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c700 at pc 0x000000447d20 bp 0x7fffbdc99110 sp 0x7fffbdc99100 WRITE of size 16 at 0x60d00000c700 thread T0 #0 0x447d1f in njs_array_prototype_splice njs/njs_array.c:876 #1 0x45f1f2 in njs_function_native_call njs/njs_function.c:587 #2 0x41bd8f in njs_vmcode_function_call njs/njs_vm.c:2061 #3 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159 #4 0x412be5 in njs_vm_start njs/njs.c:594 #5 0x4049a7 in njs_process_script njs/njs_shell.c:770 #6 0x403f7d in njs_process_file njs/njs_shell.c:619 #7 0x402aa9 in main njs/njs_shell.c:281 0x60d00000c700 is located 0 bytes to the right of 128-byte region [0x60d00000c680,0x60d00000c700) allocated by thread T0 here: #0 0x7f5803b3a076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076) #1 0x4b5c7d in nxt_memalign nxt/nxt_malloc.c:26 #2 0x4100ec in njs_align njs/njs.c:41 #3 0x40b5aa in nxt_mp_alloc_large nxt/nxt_mp.c:594 #4 0x40b3cf in nxt_mp_align nxt/nxt_mp.c:353 #5 0x444eb8 in njs_array_alloc njs/njs_array.c:148 #6 0x4145ee in njs_vmcode_array njs/njs_vm.c:342 #7 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159 #8 0x412be5 in njs_vm_start njs/njs.c:594 #9 0x4049a7 in njs_process_script njs/njs_shell.c:770 #10 0x403f7d in njs_process_file njs/njs_shell.c:619 #11 0x402aa9 in main njs/njs_shell.c:281 SUMMARY: AddressSanitizer: heap-buffer-overflow njs/njs_array.c:876 njs_array_prototype_splice Shadow bytes around the buggy address: 0x0c1a7fff9890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a7fff98d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1a7fff98e0:[fa]fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00 0x0c1a7fff98f0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa 0x0c1a7fff9900: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1a7fff9910: fd fd fd fd fa fa fa fa fa fa fa fa fa fa 00 00 0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
Probably is the same as #152 (memory corruption while resizing). Minified test from fluff report.
The text was updated successfully, but these errors were encountered:
b0f23db
No branches or pull requests
Probably is the same as #152 (memory corruption while resizing).
Minified test from fluff report.
The text was updated successfully, but these errors were encountered: