var V0 = (String ( Number ( "asasa" ) ) !== "NaN");
output:
.../jsish-master/poc.js:1: bug: Ieee function got problem (at or near "asasa")
When StringConstructor() creates the String object, Jsi_ValueToString() will convert the first argument Number ( "asasa" ) to string type. There is a type confusion bug in Jsi_ValueToString() function.
Number ( "asasa" ) is the variable v in above funtion. Since Number ( "asasa" ) is of Object type, jsish executes the JSI_VT_OBJECT case and goes to fmtnum when it finds v->d.obj->ot is of JSI_OT_NUMBER type. However, in jsiValue.c:520, jsish assumes v is of Number type and accesses v->d.num directly, which causes the type confusion.
version: jsish 3.5.0 os: ubuntu 20.04
poc:
output:
When
StringConstructor()creates theStringobject,Jsi_ValueToString()will convert the first argumentNumber ( "asasa" )to string type. There is a type confusion bug inJsi_ValueToString()function.https://github.com/pcmacdon/jsish/blob/4e5066cd2843e5c35d1b89daea143590e268cbb7/src/jsiValue.c#L486-L542
Number ( "asasa" )is the variablevin above funtion. SinceNumber ( "asasa" )is of Object type, jsish executes the JSI_VT_OBJECT case and goes tofmtnumwhen it findsv->d.obj->otis of JSI_OT_NUMBER type. However, in jsiValue.c:520, jsish assumesvis of Number type and accessesv->d.numdirectly, which causes the type confusion.ISec Lab.