gfwilliams / tiny-js

Automatically exported from code.google.com/p/tiny-js
MIT License
532 stars 88 forks source link

Null pointer dereference #32

Open bird8693 opened 4 years ago

bird8693 commented 4 years ago

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1dZ0KZHO0GgsxC-dj9HBP2bIYKFvG_EEM

vulnerability description:

There is a problem with CTinyJS :: statement. In the TinyJS.cpp + 2042 line, the pointer reference is wrong, as shown in the figure: image When the object link was obtained from the base function, the null pointer was not checked, which caused the null pointer reference and triggered a crash.

PoC construction

Add a null character after the expression in the js script: image In the picture, "j = 0;" is the empty character.