Skip to content

Type confusion in release builds while setting array length from not a number (003) #1972

New issue
New issue
Closed
Closed
Type confusion in release builds while setting array length from not a number (003)#1972
Labels
bugUndesired behaviour
@corporateshill

Description

@corporateshill
corporateshill
opened on Aug 18, 2017

Only an assert stops the function ecma_get_float_from_value from returning pointers from within an ecma value of the wrong type (it's not a float), which will happen in release builds because the assert is compiled out.

It's likely that this has a security impact.

On Ubuntu 16.04.2,

$ python tools/build.py --compile-flag=-m32 --clean --jerry-libc=OFF --system-allocator ON --compile-flag=-ggdb3 --debug --link-lib mcheck

$ cat ArrayLength.js
[].length={valueOf:function(){return Array.prototype.push(1),Object.freeze(Array.prototype);}}

$ MALLOC_CHECK_=1 gdb -q -x mcheck.gdb --args ./build/bin/jerry ArrayLength.js

ICE: Assertion 'ecma_get_value_type_field (value) == ECMA_TYPE_FLOAT' failed at /afl/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_get_float_from_value):544.
Error: ERR_FAILED_INTERNAL_ASSERTION
[Inferior 1 (process 9992) exited with code 0170]

(gdb) where
#0 ecma_get_number_from_value (value=0x82d58e7) at /afl/jerryscript/jerry-core/ecma/base/ecma-helpers-value.c:562
#1 0x080911ad in ecma_op_array_object_set_length (object_p=0x82d43f0, new_value=0x82d44ab, flags=0x0) at /afl/jerryscript/jerry-core/ecma/operations/ecma-array-object.c:170
#2 0x0808e1fa in ecma_op_object_put (object_p=0x82d43f0, property_name_p=0x82d4520, value=0x82d44ab, is_throw=0x0)
at /afl/jerryscript/jerry-core/ecma/operations/ecma-objects.c:707
#3 0x080858c7 in vm_op_set_value.lto_priv.413 (object=0x82d43f3, property=0x82d4522, value=0x82d44ab, is_strict=0x0) at /afl/jerryscript/jerry-core/vm/vm.c:186
#4 0x08082bcd in vm_loop.lto_priv.409 (frame_ctx_p=0xffffd3f4) at /afl/jerryscript/jerry-core/vm/vm.c:2492
#5 0x0807db1e in vm_execute (frame_ctx_p=0xffffd3f4, arg_p=0x0, arg_list_len=0x0) at /afl/jerryscript/jerry-core/vm/vm.c:2737
#6 0x0807dd0d in vm_run (bytecode_header_p=0x82d44d8, this_binding_value=0x82d406b, lex_env_p=0x82d40a0, is_eval_code=0x0, arg_list_p=0x0, arg_list_len=0x0)
at /afl/jerryscript/jerry-core/vm/vm.c:2826
#7 0x08085948 in vm_run_global (bytecode_p=0x82d44d8) at /afl/jerryscript/jerry-core/vm/vm.c:231
#8 0x080ae336 in jerry_run (func_val=0x82d437b) at /afl/jerryscript/jerry-core/api/jerry.c:425
#9 0x080ad1dd in main (argc=0x2, argv=0xffffd664) at /afl/jerryscript/jerry-main/main-unix.c:691

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugUndesired behaviour

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions