Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in nxt_utf8_encode (nxt_utf8.c:32) #162

Closed
wrauner opened this issue May 20, 2019 · 0 comments

Comments

Projects
None yet
2 participants
@wrauner
Copy link

commented May 20, 2019

NJS version

changeset:   965:e0fdef4eb478
tag:         tip
user:        Dmitry Volyntsev <xeioex@nginx.com>
date:        Thu May 16 15:20:31 2019 +0300
summary:     Fixed uninitialized-memory-access in Object.defineProperties().

JavaScript testcase:

var v0="@褀+Qh"
while (((((((((((((v0)>>>v0.toUpperCase())+() => {
})+(((((((v0)>>>v0.toUpperCase())+() => {
})+(ReferenceError))+(0>>>0))+0)+0))+0)+0)+0)+0)+0)+0)+0)+0)) {
}

JavaScript testcase (b64):

dmFyIHYwPSIAAEDopIAAACtRaAAAAAAiCndoaWxlICgoKCgoKCgoKCgoKCh2MCk+Pj52MC50b1VwcGVyQ2FzZSgpKSsoKSA9PiB7Cn0pKygoKCgoKCh2MCk+Pj52MC50b1VwcGVyQ2FzZSgpKSsoKSA9PiB7Cn0pKyhSZWZlcmVuY2VFcnJvcikpKygwPj4+MCkpKzApKzApKSswKSswKSswKSswKSswKSswKSswKSswKSkgewp9Cgo=

Valgrind output:

==5361== Memcheck, a memory error detector
==5361== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==5361== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==5361== Command: ./build/njs /home/fuzz/encode.js
==5361== 
==5361== Invalid write of size 1
==5361==    at 0x242704: nxt_utf8_encode (nxt_utf8.c:32)
==5361==    by 0x155F04: njs_string_prototype_to_upper_case (njs_string.c:2243)
==5361==    by 0x1CF36B: njs_function_native_call (njs_function.c:587)
==5361==    by 0x130E2D: njs_vmcode_function_call (njs_vm.c:2061)
==5361==    by 0x12BF6F: njs_vmcode_interpreter (njs_vm.c:159)
==5361==    by 0x128E0B: njs_vm_start (njs.c:594)
==5361==    by 0x1179E4: njs_process_script (njs_shell.c:770)
==5361==    by 0x1123C4: njs_process_file (njs_shell.c:619)
==5361==    by 0x1123C4: main (njs_shell.c:281)
==5361==  Address 0x5efcb00 is 0 bytes after a block of size 8,192 alloc'd
==5361==    at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5361==    by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5361==    by 0x24923C: nxt_memalign (nxt_malloc.c:26)
==5361==    by 0x11E52F: nxt_mp_alloc_cluster (nxt_mp.c:549)
==5361==    by 0x11E52F: nxt_mp_alloc_page (nxt_mp.c:514)
==5361==    by 0x11F12C: nxt_mp_alloc_small (nxt_mp.c:426)
==5361==    by 0x1421F9: njs_string_alloc (njs_string.c:218)
==5361==    by 0x12B1B1: njs_string_concat (njs_vm.c:1205)
==5361==    by 0x136EC1: njs_vmcode_addition (njs_vm.c:1170)
==5361==    by 0x12BF6F: njs_vmcode_interpreter (njs_vm.c:159)
==5361==    by 0x128E0B: njs_vm_start (njs.c:594)
==5361==    by 0x1179E4: njs_process_script (njs_shell.c:770)
==5361==    by 0x1123C4: njs_process_file (njs_shell.c:619)
==5361==    by 0x1123C4: main (njs_shell.c:281)

Found by fluff

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.