ecma_builtin_number_prototype_object_to_string access outside of buffer region (005) #1974
Labels
bug
Undesired behaviour
Comments
rerobika
added a commit
to rerobika/jerryscript
that referenced
this issue
Aug 29, 2017
The buffer size was previously badly computed since scale == 0 case was not checked, therefore the buffer size was smaller than intended. This patch fixes this issue. JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
Merged
yichoi
pushed a commit
that referenced
this issue
Aug 30, 2017
The buffer size was previously badly computed since scale == 0 case was not checked, therefore the buffer size was smaller than intended. This patch fixes this issue. JerryScript-DCO-1.0-Signed-off-by: Robert Fancsik [email protected]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Only an assert stops this from being outside of the correct region. It seems that in most cases the result is pretty benign, but I wouldn't recommend relying on that.
On Ubuntu 16.04.2,
$ python tools/build.py --compile-flag=-m32 --clean --jerry-libc=OFF --system-allocator ON --compile-flag=-ggdb3 --debug --link-lib mcheck
$ cat x.js
39000000000000700 .toString(2);
(gdb) where
#0 jerry_assert_fail (assertion=0x8134df2 "buff_index <= buff_size", file=0x8134d60 "/afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-number-prototype.c",
function=0x812dc40 <func.3568.lto_priv.293> "ecma_builtin_number_prototype_object_to_string", line=0x19e) at /afl/jerryscript/jerry-core/jrt/jrt-fatals.c:76
#1 0x0806c7ef in ecma_builtin_number_prototype_object_to_string.lto_priv.341 (this_arg=0x837be41, arguments_list_p=0xffffd38c, arguments_list_len=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-number-prototype.c:414
#2 0x08072b84 in ecma_builtin_number_prototype_dispatch_routine (builtin_routine_id=0x22, this_arg_value=0x837be41, arguments_list=0xffffd38c, arguments_number=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-number-prototype.inc.h:34
#3 0x0809968d in ecma_builtin_dispatch_routine (builtin_object_id=ECMA_BUILTIN_ID_NUMBER_PROTOTYPE, builtin_routine_id=0x22, this_arg_value=0x837be41, arguments_list=0xffffd38c,
arguments_number=0x1) at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:91
#4 0x08099a87 in ecma_builtin_dispatch_call (obj_p=0x837c000, this_arg_value=0x837be41, arguments_list_p=0xffffd38c, arguments_list_len=0x1)
at /afl/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:844
#5 0x08091f9e in ecma_op_function_call (func_obj_p=0x837c000, this_arg_value=0x837be41, arguments_list_p=0xffffd38c, arguments_list_len=0x1)
at /afl/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:458
#6 0x08085ce4 in opfunc_call.lto_priv.408 (frame_ctx_p=0xffffd3b4) at /afl/jerryscript/jerry-core/vm/vm.c:411
#7 0x0807db36 in vm_execute (frame_ctx_p=0xffffd3b4, arg_p=0x0, arg_list_len=0x0) at /afl/jerryscript/jerry-core/vm/vm.c:2746
#8 0x0807dcfe in vm_run (bytecode_header_p=0x837bfc0, this_binding_value=0x837bafb, lex_env_p=0x837bb30, is_eval_code=0x0, arg_list_p=0x0, arg_list_len=0x0)
at /afl/jerryscript/jerry-core/vm/vm.c:2826
#9 0x08085939 in vm_run_global (bytecode_p=0x837bfc0) at /afl/jerryscript/jerry-core/vm/vm.c:231
#10 0x080ae327 in jerry_run (func_val=0x837be0b) at /afl/jerryscript/jerry-core/api/jerry.c:425
#11 0x080ad1ce in main (argc=0x2, argv=0xffffd654) at /afl/jerryscript/jerry-main/main-unix.c:691
(gdb) print buff_index
$5 = 0x38
(gdb) print buff_size
$6 = 0x36
The text was updated successfully, but these errors were encountered: