ccxvii / mujs

An embeddable Javascript interpreter in C.

http://mujs.com/

ISC License

794 stars 96 forks source link

mujs memory leak #142

Closed bird8693 closed 2 years ago

bird8693 commented 3 years ago

Enviroment

operating system: ubuntu18.04
compile command:  make build=sanitize

test command: ./mujs  poc

asan output

![1](https://user-images.githubusercontent.com/13704697/109238415-7869b180-780e-11eb-8d35-5a7fa3eb5aec.png)

poc:

var nullChars = new Array();
nullChars[0] = '"\0"';
for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
    nullChars = new Array([
        -1.7976931348623157e+308,
        9007199254740994,
        nullChars
    ]);
}
nullChars==1;

ccxvii commented 3 years ago

Memory leak?

This code triggers a stack overflow exception when converting the highly nested 'nullChars' array into a string for the 'nullChars==1' expression.

PatchByte commented 2 years ago

i think it isnt a memory leak. it is more like a "I AM GONNA FK UP YOUR COMPLETE SH*T" code. this can only be triggerd by a human

ccxvii commented 2 years ago

It behaves as expected and desired. It throws a stackoverflow exception and refuses to compare. This is the same as all other JS engines.

v8 throws a RangeError: Maximum call stack size exceeded SpiderMonkey throws an InternalError: too much recursion