Skip to content

heap-buffer-overflow in lit_read_code_unit_from_utf8 #2451

New issue
New issue
Closed
Closed
heap-buffer-overflow in lit_read_code_unit_from_utf8#2451
Labels
bugUndesired behaviour
@renatahodovan

Description

@renatahodovan
renatahodovan
opened on Aug 8, 2018
Jerry version:
Checked revision: 1ac2903d
Build command: ./tools/build.py --clean --debug --compile-flag=-fsanitize=address \
--compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer \
--compile-flag=-fno-common --compile-flag=-g \
--strip=off --system-allocator=on \
--linker-flag=-fuse-ld=gold --error-messages=on --profile=es2015-subset --logging=on
OS:
Ubuntu 17.10, x86_64
Test case:
var src = "var a = 0; while(a) { switch(a) {" ; 
for ( var i = 0 ; i < 4000 ; i ++ ) 
    src += "-Infinity" + i + "\u00a0\u00a01.2e3" ; 
src += "\udc00%f0%90%80%80\udc00" ; 
print ( src ) ;
Backtrace:
=================================================================
==18380==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xd9845ba9 at pc 0x5669f5c3 bp 0xfffc6248 sp 0xfffc6238
READ of size 1 at 0xd9845ba9 thread T0
    #0 0x5669f5c2 in lit_read_code_unit_from_utf8 jerryscript/jerry-core/lit/lit-strings.c:406
    #1 0x56726b4a in ecma_substring_copy_to_utf8_buffer jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:1292
    #2 0x56710bf3 in jerry_substring_to_utf8_char_buffer jerryscript/jerry-core/api/jerry.c:1731
    #3 0x5664746f in jerryx_handler_print jerryscript/jerry-ext/handler/handler-print.c:68
    #4 0x566d0eea in ecma_op_function_call jerryscript/jerry-core/ecma/operations/ecma-function-object.c:589
    #5 0x566b64a8 in opfunc_call jerryscript/jerry-core/vm/vm.c:436
    #6 0x566c2ed0 in vm_execute jerryscript/jerry-core/vm/vm.c:3006
    #7 0x566c3721 in vm_run jerryscript/jerry-core/vm/vm.c:3090
    #8 0x566b59ed in vm_run_global jerryscript/jerry-core/vm/vm.c:225
    #9 0x5670e2ca in jerry_run jerryscript/jerry-core/api/jerry.c:533
    #10 0x5670ada1 in main jerryscript/jerry-main/main-unix.c:676
    #11 0xf7739985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)
    #12 0x566394b0  (jerryscript/build/bin/jerry+0x134b0)

0xd9845ba9 is located 0 bytes to the right of 86953-byte region [0xd9830800,0xd9845ba9)
allocated by thread T0 here:
    #0 0xf79f8bc4 in malloc (/usr/lib32/libasan.so.4+0xe4bc4)
    #1 0x566e25f7 in jmem_heap_alloc_block_internal jerryscript/jerry-core/jmem/jmem-heap.c:295
    #2 0x566e26c4 in jmem_heap_gc_and_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:329
    #3 0x566e2799 in jmem_heap_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:375
    #4 0x566c38cb in ecma_alloc_string_buffer jerryscript/jerry-core/ecma/base/ecma-alloc.c:170
    #5 0x56723e92 in ecma_append_chars_to_string jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:689
    #6 0x56724913 in ecma_concat_ecma_strings jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:829
    #7 0x56642467 in opfunc_addition jerryscript/jerry-core/vm/opcodes-ecma-arithmetics.c:154
    #8 0x566bd157 in vm_loop jerryscript/jerry-core/vm/vm.c:1779
    #9 0x566c2e6f in vm_execute jerryscript/jerry-core/vm/vm.c:2997
    #10 0x566c3721 in vm_run jerryscript/jerry-core/vm/vm.c:3090
    #11 0x566b59ed in vm_run_global jerryscript/jerry-core/vm/vm.c:225
    #12 0x5670e2ca in jerry_run jerryscript/jerry-core/api/jerry.c:533
    #13 0x5670ada1 in main jerryscript/jerry-main/main-unix.c:676
    #14 0xf7739985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/lit/lit-strings.c:406 in lit_read_code_unit_from_utf8
Shadow bytes around the buggy address:
  0x3b308b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3b308b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3b308b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3b308b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x3b308b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3b308b70: 00 00 00 00 00[01]fa fa fa fa fa fa fa fa fa fa
  0x3b308b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3b308b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3b308ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3b308bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3b308bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18380==ABORTING

Found by Fuzzinator with grammarinator.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUndesired behaviour

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions