search

pcmacdon / jsish

Jsi is a small, C-embeddable javascript interpreter with tightly woven Web and DB support.
https://jsish.org/
MIT License
42 stars 9 forks source link

Fail to throw a Type Error #93

Open sunlili opened 2 years ago

sunlili commented 2 years ago

version: jsish 3.5.0 os: ubuntu 20.04

poc1:

var V0 = (Object . setPrototypeOf ( Object . prototype , Array . prototype ));
var V1 = ( ( Number . NaN != new Object ( ) ) !== true ) ;

poc2:

const V5 = ( Object . setPrototypeOf ( Object . prototype , Array . prototype ) ) ;
let V6 = ( new RegExp ( 'new value' ) . source ) ;

output: segment fault caused by OOM

My fuzzer finds those crashes, which caused by the same bug. Object.setPrototypeOf(Object.prototype, Array.prototype) makes the prototype chain loop. Object.prototype should be a immutable prototype exotic object. So, jsish should throw a TypeError when js code sets the prototype of the builtin Object.

ISec Lab.