It is a problem with CTinyJS :: condition. On the TinyJS.cpp + 1813 line, a null pointer reference is triggered, as shown in the figure:
The reason for the vulnerability is that when using the shift function to obtain the value of the js expression, the obtained object value b is empty, and it is not verified whether b is empty, and then b-> var refers to b, causing the vulnerability.
PoC construction
In the process of declaring a variable, a null pointer can be caused by adding a null character.
That is, an empty character is added after an element of the array.
Enviroment
poc:
https://drive.google.com/open?id=1mnLo6dzO3586JNhV1MtG-0VWEQZIOUzH
vulnerability description:
It is a problem with CTinyJS :: condition. On the TinyJS.cpp + 1813 line, a null pointer reference is triggered, as shown in the figure:
The reason for the vulnerability is that when using the shift function to obtain the value of the js expression, the obtained object value b is empty, and it is not verified whether b is empty, and then b-> var refers to b, causing the vulnerability.
PoC construction
In the process of declaring a variable, a null pointer can be caused by adding a null character.
That is, an empty character is added after an element of the array.