search

pcmacdon / jsish

Jsi is a small, C-embeddable javascript interpreter with tightly woven Web and DB support.
https://jsish.org/
MIT License
42 stars 9 forks source link

Heap-use-after-free src/jsiArray.c:958 in SortSubCmd #86

Closed hope-fly closed 2 years ago

hope-fly commented 2 years ago
Jsish revision

Commit: 9fa798e

Version: v3.5.0

Build platform

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)

Build steps
export CFLAGS='-fsanitize=address'
make
Test case
var JSEtest = [
  'aa',
  'bb',
  'cc'
];
var results = JSEtest;
JSEtest.findIndex(function (kV) {
  JSEtest.sort(function (str, position) {
    results.push(kV);
  });
});

Execution steps & Output
$ ./jsish/jsish poc.js
==106201==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000018678 at pc 0x56468deff5a0 bp 0x7fff9a37c2a0 sp 0x7fff9a37c290
READ of size 8 at 0x60c000018678 thread T0
    #0 0x56468deff59f in SortSubCmd src/jsiArray.c:958
    #1 0x7fb68d0b0311  (/lib/x86_64-linux-gnu/libc.so.6+0x42311)
    #2 0x7fb68d0b027d  (/lib/x86_64-linux-gnu/libc.so.6+0x4227d)
    #3 0x7fb68d0b027d  (/lib/x86_64-linux-gnu/libc.so.6+0x4227d)
    #4 0x7fb68d0b06b5 in qsort_r (/lib/x86_64-linux-gnu/libc.so.6+0x426b5)
    #5 0x56468df02611 in jsi_ArraySortCmd src/jsiArray.c:1065
    #6 0x56468decf818 in jsi_FuncCallSub src/jsiProto.c:244
    #7 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837
    #9 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x56468e1ad15e in jsi_evalcode src/jsiEval.c:2204
    #11 0x56468ded0834 in jsi_FuncCallSub src/jsiProto.c:220
    #12 0x56468de4cfec in jsi_FunctionInvoke src/jsiFunc.c:777
    #13 0x56468de4cfec in Jsi_FunctionInvoke src/jsiFunc.c:789
    #14 0x56468df0dc0b in jsi_ArrayFindSubCmd src/jsiArray.c:576
    #15 0x56468df0dc0b in jsi_ArrayFindIndexCmd src/jsiArray.c:666
    #16 0x56468decf818 in jsi_FuncCallSub src/jsiProto.c:244
    #17 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796
    #18 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837
    #19 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264
    #20 0x56468e1ad15e in jsi_evalcode src/jsiEval.c:2204
    #21 0x56468e1b1274 in jsi_evalStrFile src/jsiEval.c:2665
    #22 0x56468dea066a in Jsi_Main src/jsiInterp.c:936
    #23 0x56468e6a503a in jsi_main src/main.c:47
    #24 0x7fb68d08fbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #25 0x56468de34969 in _start (/usr/local/bin/jsish+0xe8969)

0x60c000018678 is located 56 bytes inside of 128-byte region [0x60c000018640,0x60c0000186c0)
freed by thread T0 here:
    #0 0x7fb68dcfef30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x56468dea5972 in Jsi_Realloc src/jsiUtils.c:47

previously allocated by thread T0 here:
    #0 0x7fb68dcfef30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x56468dea5972 in Jsi_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiArray.c:958 in SortSubCmd
Shadow bytes around the buggy address:
  0x0c187fffb070: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffb090: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffb0a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fffb0c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd[fd]
  0x0c187fffb0d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fffb0f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fffb100: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fffb110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==106201==ABORTING