heap-buffer-overflow in lit_read_code_unit_from_hex

[renatahodovan]

Jerry version:

Checked revision: 918eb22a
Build command: ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --jerry-libc=off --static-link=off --strip=off --system-allocator=on --linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset

OS:

Ubuntu 17.10

Test case:

JSON.parse('"' + '\\u');

The test case is quite similar to #2180 but the failure happens in a different module.
The place and the type of the failure is the same as in #2140 but the test cases and the traces are completely different.

Backtrace:

=================================================================
==15239==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5f0065b at pc 0x0822d726 bp 0xff814e78 sp 0xff814e6c
READ of size 1 at 0xf5f0065b thread T0
    #0 0x822d725 in lit_read_code_unit_from_hex jerryscript/jerry-core/lit/lit-char-helpers.c:443:9
    #1 0x82b7ae9 in ecma_builtin_json_parse_string jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:181:17
    #2 0x82b5cf3 in ecma_builtin_json_parse_next_token jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:435:9
    #3 0x82b477d in ecma_builtin_json_parse_value jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:550:3
    #4 0x82b1ac7 in ecma_builtin_json_parse jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.c:822:31
    #5 0x82b12a8 in ecma_builtin_json_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-json.inc.h:26:1
    #6 0x81ecc14 in ecma_builtin_dispatch_routine jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:135:1
    #7 0x81ebb55 in ecma_builtin_dispatch_call jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:844:17
    #8 0x82038f2 in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:342:19
    #9 0x8277f73 in opfunc_call jerryscript/jerry-core/vm/vm.c:425:24
    #10 0x825e906 in vm_execute jerryscript/jerry-core/vm/vm.c:2871:7
    #11 0x825dc14 in vm_run jerryscript/jerry-core/vm/vm.c:2951:10
    #12 0x825d0cf in vm_run_global jerryscript/jerry-core/vm/vm.c:232:28
    #13 0x817673c in jerry_run jerryscript/jerry-core/api/jerry.c:559:24
    #14 0x816ea31 in main jerryscript/jerry-main/main-unix.c:664:21
    #15 0xf7c2d985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)
    #16 0x806fe97 in _start (jerryscript/build/bin/jerry+0x806fe97)

0xf5f0065b is located 0 bytes to the right of 11-byte region [0xf5f00650,0xf5f0065b)
allocated by thread T0 here:
    #0 0x81334b4 in malloc (jerryscript/build/bin/jerry+0x81334b4)
    #1 0x822a8f7 in jmem_heap_alloc_block_internal jerryscript/jerry-core/jmem/jmem-heap.c:324:10
    #2 0x822a644 in jmem_heap_gc_and_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:360:24
    #3 0x822a464 in jmem_heap_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:406:10
    #4 0x8279927 in ecma_alloc_string_buffer jerryscript/jerry-core/ecma/base/ecma-alloc.c:182:10
    #5 0x81b1049 in ecma_append_chars_to_string jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:621:21
    #6 0x81b2db0 in ecma_concat_ecma_strings jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:738:10
    #7 0x83504de in opfunc_addition jerryscript/jerry-core/vm/opcodes-ecma-arithmetics.c:154:17
    #8 0x826be3d in vm_loop jerryscript/jerry-core/vm/vm.c:1722:20
    #9 0x825e7c8 in vm_execute jerryscript/jerry-core/vm/vm.c:2862:24
    #10 0x825dc14 in vm_run jerryscript/jerry-core/vm/vm.c:2951:10
    #11 0x825d0cf in vm_run_global jerryscript/jerry-core/vm/vm.c:232:28
    #12 0x817673c in jerry_run jerryscript/jerry-core/api/jerry.c:559:24
    #13 0x816ea31 in main jerryscript/jerry-main/main-unix.c:664:21
    #14 0xf7c2d985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/lit/lit-char-helpers.c:443:9 in lit_read_code_unit_from_hex
Shadow bytes around the buggy address:
  0x3ebe0070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe00b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ebe00c0: fa fa fa fa fa fa fa fa fa fa 00[03]fa fa 00 00
  0x3ebe00d0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 00
  0x3ebe00e0: fa fa 00 02 fa fa fd fa fa fa 00 05 fa fa 00 02
  0x3ebe00f0: fa fa 00 06 fa fa 00 00 fa fa fa fa fa fa fa fa
  0x3ebe0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3ebe0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==15239==ABORTING

^{Found by Fuzzinator with grammarinator.}