search

sebastienros / jint

Javascript Interpreter for .NET
BSD 2-Clause "Simplified" License
4.04k stars 557 forks source link

`NullReferenceException` when executing `-/[]/` #1021

Closed ioshm closed 2 years ago

ioshm commented 2 years ago

Jint will throw an NRE when executing -/[]/ but Edge and Node will return NaN instead.

Unhandled exception. System.NullReferenceException: Object reference not set to an instance of an object.
   at Jint.Native.RegExp.RegExpPrototype.Source(JsValue thisObj, JsValue[] arguments)
   at Jint.Runtime.Interop.ClrFunctionInstance.Call(JsValue thisObject, JsValue[] arguments)
   at Jint.Engine.Call(FunctionInstance functionInstance, JsValue thisObject, JsValue[] arguments, JintExpression expression)
   at Jint.Native.Object.ObjectInstance.UnwrapFromGetter(PropertyDescriptor desc, JsValue thisObject)
   at Jint.Native.Object.ObjectInstance.UnwrapJsValue(PropertyDescriptor desc, JsValue thisObject)
   at Jint.Native.Object.ObjectInstance.Get(JsValue property, JsValue receiver)
   at Jint.Native.RegExp.RegExpPrototype.ToRegExpString(JsValue thisObj, JsValue[] arguments)
   at Jint.Runtime.Interop.ClrFunctionInstance.Call(JsValue thisObject, JsValue[] arguments)
   at Jint.Runtime.TypeConverter.OrdinaryToPrimitive(ObjectInstance input, Types hint)
   at Jint.Runtime.TypeConverter.ToPrimitiveObjectInstance(ObjectInstance oi, Types preferredType)
   at Jint.Runtime.TypeConverter.ToNumberUnlikely(JsValue o)
   at Jint.Runtime.Interpreter.Expressions.JintUnaryExpression.EvaluateMinus(JsValue value)
   at Jint.Runtime.Interpreter.Expressions.JintUnaryExpression.EvaluateJsValue(EvaluationContext context)
   at Jint.Runtime.Interpreter.Expressions.JintUnaryExpression.EvaluateInternal(EvaluationContext context)
   at Jint.Runtime.Interpreter.Statements.JintExpressionStatement.ExecuteInternal(EvaluationContext context)
   at Jint.Runtime.Interpreter.JintStatementList.Execute(EvaluationContext context)
   at Jint.Engine.<>c__DisplayClass65_0.<Execute>g__DoInvoke|0()
   at Jint.Engine.ExecuteWithConstraints[T](Func`1 callback)
   at Jint.Engine.Execute(Script script)
   at Jint.Engine.Execute(String source, ParserOptions parserOptions)
   at Jint.Engine.Execute(String source)
lahma commented 2 years ago

Have to ask that what's the use case behind this..? A bug though definitely.

ioshm commented 2 years ago

Have to ask that what's the use case behind this..?

This was discovered through fuzzing. One case where I can see this being used is in obfuscated JavaScript, much like for anything looking goofy but valid 😆