search

gfwilliams / tiny-js

Automatically exported from code.google.com/p/tiny-js
MIT License
532 stars 88 forks source link

Null pointer dereference #38

Open bird8693 opened 4 years ago

bird8693 commented 4 years ago

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1jhNSWmb-SeA6K4xDWQCEhaJFts7E3iOa

vulnerability description:

CTinyJS :: expression has a problem. On the TinyJS.cpp + 1754 line, a null pointer reference is triggered, as shown in the figure: image The reason for the vulnerability is that when a temporary assignment variable a is generated, it is not verified whether a is empty, and then a-> var refers to a, which causes the vulnerability.

PoC construction

During the variable declaration, write 0. image