search

robertkrimen / otto

A JavaScript interpreter in Go (golang)
http://godoc.org/github.com/robertkrimen/otto
MIT License
8.11k stars 586 forks source link

Bug on cmpl.parseExpression #402

Closed retikulum closed 3 years ago

retikulum commented 3 years ago

Hi,

While I am fuzzing this project, I am encountered with this bug. Kudos to go-fuzz

Go Version

go version go1.15.10 linux/amd64

Code

package main

import (
   "github.com/robertkrimen/otto"
     "fmt"
)

func main() {

dat := "with('')0|t.I߉"
vm := otto.New()
vm.Run(dat)
if value, err := vm.Get("abc"); err == nil {
    if value_int, err := value.ToInteger(); err == nil {
        fmt.Println("", value_int, err)
    }
}
}

Bug

"with('')0|t.I߉" string causes panic on cmpl.parseExpression while parsing it. I think it is paniced while parsing special characters like "߉".

https://play.golang.org/p/562PRQhWSRm

Error

panic: Here be dragons: cmpl.parseExpression(*ast.BadExpression)

goroutine 1 [running]:
github.com/robertkrimen/otto.(*_compiler).parseExpression(0xc00005dd68, 0x6c2820, 0xc0000126e0, 0x7fd4abb22108, 0xc000194600)
        /home/fuzz/go/src/github.com/robertkrimen/otto/cmpl_parse.go:196 +0x2088
github.com/robertkrimen/otto.(*_compiler).parseStatement(0xc00005dd68, 0x6c2ba0, 0xc0001901b0, 0x6bf700, 0xc000196640)
        /home/fuzz/go/src/github.com/robertkrimen/otto/cmpl_parse.go:244 +0x1739
github.com/robertkrimen/otto.(*_compiler).parseStatement(0xc00005dd68, 0x6c31a0, 0xc000181aa0, 0xc0001901d0, 0x0)
        /home/fuzz/go/src/github.com/robertkrimen/otto/cmpl_parse.go:354 +0x1bac
github.com/robertkrimen/otto.(*_compiler)._parse(0xc00005dd68, 0xc000194600, 0xc000194600)
        /home/fuzz/go/src/github.com/robertkrimen/otto/cmpl_parse.go:375 +0x40b
github.com/robertkrimen/otto.(*_compiler).parse(...)
        /home/fuzz/go/src/github.com/robertkrimen/otto/cmpl.go:23
github.com/robertkrimen/otto.cmpl_parse(0xc000194600, 0x623c00)
        /home/fuzz/go/src/github.com/robertkrimen/otto/cmpl_parse.go:366 +0x55
github.com/robertkrimen/otto.(*_runtime).cmpl_runOrEval(0xc000001380, 0x623c00, 0xc0001965e0, 0x0, 0x0, 0xc00005de00, 0x40afb9, 0x20, 0x62c620, 0x603f01, ...)
        /home/fuzz/go/src/github.com/robertkrimen/otto/runtime.go:816 +0x1e6
github.com/robertkrimen/otto.(*_runtime).cmpl_run(...)
        /home/fuzz/go/src/github.com/robertkrimen/otto/runtime.go:831
github.com/robertkrimen/otto.Otto.Run(0x0, 0xc000001380, 0x623c00, 0xc0001965e0, 0x1, 0xe, 0x0, 0x0, 0x60)
        /home/fuzz/go/src/github.com/robertkrimen/otto/otto.go:295 +0x53
main.main()
        /home/fuzz/go/src/github.com/robertkrimen/otto/fuzz/deneme.go:31 +0x2e5
exit status 2