heap-buffer-overflow in ecma_utf8_string_to_number #1636

renatahodovan · 2017-03-02T11:58:17Z

Jerry version:

Checked revision: 92f74f3
Build: debug.linux

OS:

Ubuntu 16.04.2 LTS, x86_64

Test case:

var seal = seal < 'e'

Build command:

./tools/build.py --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-g --jerry-libc=off --static-link=off --strip=off --system-allocator=on --linker-flag=-fuse-ld=gold

Backtrace:

=================================================================
==17728==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d00739 at pc 0x080f052d bp 0xffdd0158 sp 0xffdd0148
READ of size 1 at 0xf4d00739 thread T0
    #0 0x80f052c in ecma_utf8_string_to_number jerryscript/jerry-core/ecma/base/ecma-helpers-conversion.c:548
    #1 0x80ec774 in ecma_string_to_number jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:827
    #2 0x80ae23d in ecma_op_to_number jerryscript/jerry-core/ecma/operations/ecma-conversion.c:257
    #3 0x80b0639 in ecma_op_abstract_relational_compare jerryscript/jerry-core/ecma/operations/ecma-comparison.c:308
    #4 0x80526ac in opfunc_less_than jerryscript/jerry-core/vm/opcodes-ecma-relational.c:46
    #5 0x8076516 in vm_loop.lto_priv.194 jerryscript/jerry-core/vm/vm.c:1950
    #6 0x806f22c in vm_execute jerryscript/jerry-core/vm/vm.c:2642
    #7 0x806f80e in vm_run jerryscript/jerry-core/vm/vm.c:2730
    #8 0x807f6b2 in vm_run_global jerryscript/jerry-core/vm/vm.c:211
    #9 0x810192d in jerry_run jerryscript/jerry-core/jerry.c:385
    #10 0x8108d3f in main jerryscript/jerry-main/main-unix.c:726
    #11 0xf700c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #12 0x8048e50  (jerryscript/build/bin/jerry+0x8048e50)

0xf4d00739 is located 0 bytes to the right of 9-byte region [0xf4d00730,0xf4d00739)
allocated by thread T0 here:
    #0 0xf725ddee in malloc (/usr/lib32/libasan.so.2+0x96dee)
    #1 0x80a2e2d in jmem_heap_alloc_block_internal jerryscript/jerry-core/jmem/jmem-heap.c:324
    #2 0x80a2ee7 in jmem_heap_gc_and_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:360
    #3 0x80a2fac in jmem_heap_alloc_block jerryscript/jerry-core/jmem/jmem-heap.c:406
    #4 0x80e9bc9 in ecma_new_ecma_string_from_utf8 jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:190
    #5 0x806cd0a in ecma_find_or_create_literal_string jerryscript/jerry-core/ecma/base/ecma-literal-storage.c:72
    #6 0x809e87b in parser_post_processing jerryscript/jerry-core/parser/js/js-parser.c:1742
    #7 0x809f4a2 in parser_parse_source.lto_priv.252 jerryscript/jerry-core/parser/js/js-parser.c:1927
    #8 0x808abad in parser_parse_script jerryscript/jerry-core/parser/js/js-parser.c:2382
    #9 0x8109678 in jerry_parse jerryscript/jerry-core/jerry.c:278
    #10 0x81017af in jerry_parse_named_resource jerryscript/jerry-core/jerry.c:341
    #11 0x8108cf6 in main jerryscript/jerry-main/main-unix.c:717
    #12 0xf700c636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/ecma/base/ecma-helpers-conversion.c:548 ecma_utf8_string_to_number
Shadow bytes around the buggy address:
  0x3e9a0090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a00a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a00b0: fa fa fa fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x3e9a00c0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x3e9a00d0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
=>0x3e9a00e0: fa fa 00 fa fa fa 00[01]fa fa 00 fa fa fa 00 00
  0x3e9a00f0: fa fa 00 fa fa fa 00 06 fa fa fd fa fa fa 00 00
  0x3e9a0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x3e9a0130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==17728==ABORTING

^{Found by Fuzzinator}

The text was updated successfully, but these errors were encountered:

For example Number(".") and Number("e5") should be NaN not zero. Parsing Number("e") caused buffer overflow as well. Infinity parsing is a bit faster now. Fixes jerryscript-project#1636. JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg [email protected]

For example Number(".") and Number("e5") should be NaN not zero. Parsing Number("e") caused buffer overflow as well. Infinity parsing is a bit faster now. Fixes #1636. JerryScript-DCO-1.0-Signed-off-by: Zoltan Herczeg [email protected]

zherczeg mentioned this issue Mar 7, 2017

Fix various number parsing issues. #1648

Merged

zherczeg closed this as completed in #1648 Mar 9, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-buffer-overflow in ecma_utf8_string_to_number #1636

heap-buffer-overflow in ecma_utf8_string_to_number #1636

renatahodovan commented Mar 2, 2017

heap-buffer-overflow in ecma_utf8_string_to_number #1636

heap-buffer-overflow in ecma_utf8_string_to_number #1636

Comments

renatahodovan commented Mar 2, 2017

Jerry version:

OS:

Test case:

Build command:

Backtrace: