search

gfwilliams / tiny-js

Automatically exported from code.google.com/p/tiny-js
MIT License
532 stars 88 forks source link

Null pointer dereference #36

Open bird8693 opened 4 years ago

bird8693 commented 4 years ago

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1WRlgq9EXl6Z6aMwZZVt0CmKLxt0IKwOL

It is a problem with CTinyJS :: functionCall. On line TinyJS.cpp + 1467, a null pointer reference is triggered, as shown in the figure:

image The reason for the vulnerability is that when the temporary assignment variable value is generated, it is not verified whether the value is empty, and then the value is referenced by value-> var, which causes the vulnerability.

PoC construction

During the variable declaration, write 0. image