Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
ecma-helpers-string.c@1221 has an out-of-bounds write (buffer overflow) #2712
The following is what I got. Notes safe_memcpy is a safe version of memcpy that does array bounds checking. You can treat it like memcpy. I think the fixes is to make sure the length is passed correctly.
DTS_MSG: Stensal DTS detected a fatal program error!
@mlite Thanks for the report. It has revealed a bug in the unit tests. The problem manifests itself in the engine but because of wrong API usage.
The problem is in tests/unit-core/test-api-strings.c, around line 241:
cesu8_sz = 5; char substring[cesu8_sz]; /// snip cesu8_length = jerry_get_string_length (args); cesu8_sz = jerry_get_string_size (args); /// BUG: substring is of fixed size, shouldn't rewrite its size TEST_ASSERT (cesu8_length == 15); TEST_ASSERT (cesu8_length == cesu8_sz); sz = jerry_substring_to_char_buffer (args, 0, cesu8_length, (jerry_char_t *) substring, cesu8_sz); /// BUG(manifested): shouldn't try to lie about the size of substring when calling jerry_substring_to_char_buffer TEST_ASSERT (sz = 15); TEST_ASSERT (!strncmp (substring, "an ascii string", sz)); /// BUG(hidden): this will either cause a read overflow because substring is only 5 bytes long, or hit the assert if only the first 5 bytes of substring are filled