NULL dereference in scanner_reverse_info_list

Question

NULL dereference in scanner_reverse_info_list

nszetei opened this issue 4 years ago · 0 comments

nszetei commented 4 years ago

JerryScript revision

6cd309b

Build platform

Ubuntu 20.04 LTS (Linux 5.4.0-31-generic x86_64)

Build steps

python tools/build.py --profile=es2015-subset --lto=off --compile-flag=-g \
--error-messages=on --debug --compile-flag=-g --strip=off --logging=on \
 --compile-flag=-fsanitize=address --stack-limit=15

Test case

function main() {
var v2 = new Float64Array(63797);
var v4 = "d".constructor;
var v6 = [1337,1337,1337,1337];
var v7 = [];
var v8 = {constructor:v6,a:v7};
var v9 = v8.a;
var v12 = 0;
v9.toString = v4;
var v14 = new Int16Array();
do {
    function v16(v17,v18,v19) {
        'use strict'
        var v20 = Int16Array.toLocaleString();
        var v22 = eval(v20);
    }
    var v24 = new Promise(v16);
    var v25 = v12 + 1;
    v12 = v25;
    v7[v25] = v14;
} while (v12 < 1337);
}
main();

Output

$ build/bin/jerry test.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==434582==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x55af4dd3f2b0 bp 0x7ffc7e016ab0 sp 0x7ffc7e016a80 T0)
==434582==The signal is caused by a READ memory access.
==434582==Hint: address points to the zero page.
    #0 0x55af4dd3f2af in scanner_reverse_info_list /tmp/jerryscript/jerry-core/parser/js/js-scanner-util.c:1557
    #1 0x55af4dd5150a in scanner_scan_all /tmp/jerryscript/jerry-core/parser/js/js-scanner.c:3217
    #2 0x55af4dd34f5e in parser_parse_source /tmp/jerryscript/jerry-core/parser/js/js-parser.c:2084
    #3 0x55af4dd38d76 in parser_parse_script /tmp/jerryscript/jerry-core/parser/js/js-parser.c:2697
..
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/jerryscript/jerry-core/parser/js/js-scanner-util.c:1557 in scanner_reverse_info_list
==434582==ABORTING

$ gdb -q -nx build/bin/jerry -ex 'r test.js'

Program received signal SIGSEGV, Segmentation fault.
0x00005555556422b0 in scanner_reverse_info_list (context_p=0x7fffffffca20) at /tmp/jerryscript/jerry-core/parser/js/js-scanner-util.c:1557
1557	  if (scanner_info_p->type == SCANNER_TYPE_END)
(gdb) x/i $rip
=> 0x5555556422b0 <scanner_reverse_info_list+133>:	movzbl 0x10(%rax),%eax
(gdb) i r rax
rax            0x0                 0