Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in njs_function_native_call njs/njs_function.c:623 #163

Closed
wrauner opened this issue May 20, 2019 · 1 comment

Comments

Projects
None yet
3 participants
@wrauner
Copy link

commented May 20, 2019

NJS version

changeset:   965:e0fdef4eb478
tag:         tip
user:        Dmitry Volyntsev <xeioex@nginx.com>
date:        Thu May 16 15:20:31 2019 +0300
summary:     Fixed uninitialized-memory-access in Object.defineProperties().

JavaScript testcase:

var v0=Array()
while(v0.includes(v0.u,(Object()+((Boolean))),(Boolean),((({}>(Boolean)))),(0),v0.toString(([URIError]+Object))){}

ASAN log:

==32113==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000480 at pc 0x5561174c6af1 bp 0x7ffd29774220 sp 0x7ffd29774210
WRITE of size 16 at 0x619000000480 thread T0
    #0 0x5561174c6af0 in njs_function_native_call njs/njs_function.c:623
    #1 0x5561173e36b1 in njs_vmcode_continuation njs/njs_vm.c:2308
    #2 0x5561173e3d47 in njs_vmcode_interpreter njs/njs_vm.c:159
    #3 0x5561173deb83 in njs_vm_start njs/njs.c:594
    #4 0x5561173c1cc3 in njs_process_script njs/njs_shell.c:770
    #5 0x5561173baf48 in njs_process_file njs/njs_shell.c:619
    #6 0x5561173baf48 in main njs/njs_shell.c:281
    #7 0x7f37a800db96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x5561173bcef9 in _start (/home/build/njs/build/njs+0x2aef9)

Found by fluff

@jdelta-RBS

This comment has been minimized.

Copy link

commented May 20, 2019

This issue was assigned CVE-2019-12208

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.