search

bellard / quickjs

Public repository of the QuickJS Javascript Engine.
https://bellard.org/quickjs
Other
8.35k stars 867 forks source link

SEGV on unknown address in add_closure_variables #249

Open Ye0nny opened 7 months ago

Ye0nny commented 7 months ago

QuickJS Version

Version : https://github.com/bellard/quickjs/commit/6a89d7c27099be84e5312a7ec73205d6a7abe1b4

platform

Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)

Build

PoC

testcase

```javascript class e { method ( { } = eval ( " var arguments ='–“� " ) ) { arguments [ undefined ] = arguments [ 0 ] ; this - this. method ( ) ; return arguments ; } } class t extends e { method (... e ) { return super. method (... e ) ; } } var r = new t ( ) ; r. method ( ) ; r. method ( ) ; r. method ( ) ; ``` 

class e {
        method ( { } = eval ( " " ) ) { }
}
class t extends e {
        method (... e ) {
                return super. method ( ) ;
        }
}
var r = new t ( ) ;
r. method ( ) ;

Execution steps & Output

$ ./qjs poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1074913==ERROR: AddressSanitizer: SEGV on unknown address 0x6120001018b4 (pc 0x564b1c4dd487 bp 0x7ffce71e0450 sp 0x7ffce71e0290 T0)
==1074913==The signal is caused by a READ memory access.
    #0 0x564b1c4dd486 in add_closure_variables quickjs/quickjs.c:31101
    #1 0x564b1c4dd486 in __JS_EvalInternal quickjs/quickjs.c:34444
    #2 0x564b1c406d2e in JS_EvalInternal quickjs/quickjs.c:34501
    #3 0x564b1c406d2e in JS_EvalObject quickjs/quickjs.c:34517
    #4 0x564b1c3a5155 in JS_CallInternal quickjs/quickjs.c:16761
    #5 0x564b1c391edb in JS_CallInternal quickjs/quickjs.c:16615
    #6 0x564b1c391edb in JS_CallInternal quickjs/quickjs.c:16615
    #7 0x564b1c3b3649 in JS_CallFree quickjs/quickjs.c:18694
    #8 0x564b1c4da9a1 in JS_EvalFunctionInternal quickjs/quickjs.c:34348
    #9 0x564b1c4de0d2 in __JS_EvalInternal quickjs/quickjs.c:34483
    #10 0x564b1c4d1f48 in JS_EvalInternal quickjs/quickjs.c:34501
    #11 0x564b1c4d1f48 in JS_EvalThis quickjs/quickjs.c:34532
    #12 0x564b1c4d1fd7 in JS_Eval quickjs/quickjs.c:34540
    #13 0x564b1c3654d2 in eval_buf quickjs/qjs.c:71
    #14 0x564b1c365a42 in eval_file quickjs/qjs.c:103
    #15 0x564b1c3648d4 in main quickjs/qjs.c:516
    #16 0x7f27c95c0082 in __libc_start_main ../csu/libc-start.c:308
    #17 0x564b1c364e4d in _start (quickjs/qjs+0x35e4d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV quickjs/quickjs.c:31101 in add_closure_variables
==1074913==ABORTING

when executed in release mode

Segmentation fault

Credits: @Ye0nny, @EJueon

chqrlie commented 7 months ago

Thank you for your report, I shall investigate this bug