search

gfwilliams / tiny-js

Automatically exported from code.google.com/p/tiny-js
MIT License
532 stars 88 forks source link

Null pointer dereference #35

Open bird8693 opened 4 years ago

bird8693 commented 4 years ago

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1Piwkup12nmhGZ3-z_GuNneH43cHnh-7m

vulnerability description:

It is CTinyJS :: logic that has a problem. On the TinyJS.cpp + 1846 line, a null pointer reference is triggered, as shown in the figure: image The reason for the vulnerability is that when the temporary assignment variable b is generated, it is not verified whether b is empty, and then b-> var refers to b, which causes the vulnerability.

PoC construction

During the variable declaration, write 0. image