Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in Array.prototype.splice() after resize. #153

Closed
xeioex opened this issue May 7, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@xeioex
Copy link
Contributor

commented May 7, 2019

var v0=[]
var x = new Array(10)
var i = 0
while (i < 100) {
    v0.shift(v0.splice(0, "AAAA", "BBBB"))
    i++;
}
$ njs test.js
==21010==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c700 at pc 0x000000447d20 bp 0x7fffbdc99110 sp 0x7fffbdc99100
WRITE of size 16 at 0x60d00000c700 thread T0
    #0 0x447d1f in njs_array_prototype_splice njs/njs_array.c:876
    #1 0x45f1f2 in njs_function_native_call njs/njs_function.c:587
    #2 0x41bd8f in njs_vmcode_function_call njs/njs_vm.c:2061
    #3 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159
    #4 0x412be5 in njs_vm_start njs/njs.c:594
    #5 0x4049a7 in njs_process_script njs/njs_shell.c:770
    #6 0x403f7d in njs_process_file njs/njs_shell.c:619
    #7 0x402aa9 in main njs/njs_shell.c:281

0x60d00000c700 is located 0 bytes to the right of 128-byte region [0x60d00000c680,0x60d00000c700)
allocated by thread T0 here:
    #0 0x7f5803b3a076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x4b5c7d in nxt_memalign nxt/nxt_malloc.c:26
    #2 0x4100ec in njs_align njs/njs.c:41
    #3 0x40b5aa in nxt_mp_alloc_large nxt/nxt_mp.c:594
    #4 0x40b3cf in nxt_mp_align nxt/nxt_mp.c:353
    #5 0x444eb8 in njs_array_alloc njs/njs_array.c:148
    #6 0x4145ee in njs_vmcode_array njs/njs_vm.c:342
    #7 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159
    #8 0x412be5 in njs_vm_start njs/njs.c:594
    #9 0x4049a7 in njs_process_script njs/njs_shell.c:770
    #10 0x403f7d in njs_process_file njs/njs_shell.c:619
    #11 0x402aa9 in main njs/njs_shell.c:281

SUMMARY: AddressSanitizer: heap-buffer-overflow njs/njs_array.c:876 njs_array_prototype_splice
Shadow bytes around the buggy address:
  0x0c1a7fff9890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff98d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff98e0:[fa]fa fa fa fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c1a7fff98f0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c1a7fff9900: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff9910: fd fd fd fd fa fa fa fa fa fa fa fa fa fa 00 00
  0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa

Probably is the same as #152 (memory corruption while resizing).
Minified test from fluff report.

@xeioex xeioex changed the title heap-buffer-overflow in Array.prototype.splice(). heap-buffer-overflow in Array.prototype.splice() after resize. May 7, 2019

@xeioex xeioex added this to the 0.3.2 milestone May 14, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.