Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer-overflow in String.prototype.concat(). #159

Closed
xeioex opened this issue May 16, 2019 · 0 comments

Comments

Projects
None yet
2 participants
@xeioex
Copy link
Contributor

commented May 16, 2019

>>  var s = 'x'.repeat(2**10).repeat(2**19)
undefined
>> var a = Array(8).fill(s)
undefined
>> String.prototype.concat.apply(s, a.slice(1))
=================================================================
==7198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f00000fa40 at pc 0x7f59b1f12904 bp 0x7ffc99374ed0 sp 0x7ffc99374678
WRITE of size 536870912 at 0x61f00000fa40 thread T0
    #0 0x7f59b1f12903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
    #1 0x427909 in njs_string_prototype_concat njs/njs_string.c:896
    #2 0x45f55f in njs_function_native_call njs/njs_function.c:587
    #3 0x41c924 in njs_vmcode_continuation njs/njs_vm.c:2308
    #4 0x413d10 in njs_vmcode_interpreter njs/njs_vm.c:159
    #5 0x412be5 in njs_vm_start njs/njs.c:594
    #6 0x4049a7 in njs_process_script njs/njs_shell.c:770
    #7 0x4037ad in njs_interactive_shell njs/njs_shell.c:500
    #8 0x402a03 in main njs/njs_shell.c:270

0x61f00000fa40 is located 0 bytes to the right of 3008-byte region [0x61f00000ee80,0x61f00000fa40)
allocated by thread T0 here:
    #0 0x7f59b1f1f076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x4b621b in nxt_memalign nxt/nxt_malloc.c:26
    #2 0x4100ec in njs_align njs/njs.c:41
    #3 0x40b703 in nxt_mp_alloc_large nxt/nxt_mp.c:605
    #4 0x40b3cf in nxt_mp_align nxt/nxt_mp.c:353
    #5 0x40b403 in nxt_mp_zalign nxt/nxt_mp.c:365
    #6 0x4101d0 in njs_vm_create njs/njs.c:103
    #7 0x40410c in njs_create_vm njs/njs_shell.c:652
    #8 0x403672 in njs_interactive_shell njs/njs_shell.c:475
    #9 0x402a03 in main njs/njs_shell.c:270

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c3e7fff9ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff9f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff9f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3e7fff9f40: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa

Similar to #131. size_t size is truncated when it is passed to njs_string_alloc().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.