Open
Description
JerryScript revision
Build platform
Ubuntu 22.04.3
Build steps
python ./tools/build.py --builddir=xxx --clean --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --stack-limit=20Test case
import{a as "\{{91406,456}"Execution steps
./xxx/bin/jerry poc.jsOutput
Release:
=================================================================
==2144424==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000005c at pc 0x559a32bf48a3 bp 0x7ffedf4f4450 sp 0x7ffedf4f4448
READ of size 1 at 0x60300000005c thread T0
#0 0x559a32bf48a2 in lexer_convert_ident_to_cesu8 /jerryscript/jerry-core/parser/js/js-lexer.c:2083:9
#1 0x559a32bf4e08 in lexer_convert_literal_to_chars /jerryscript/jerry-core/parser/js/js-lexer.c:2133:5
#2 0x559a32bf5d19 in lexer_construct_literal_object /jerryscript/jerry-core/parser/js/js-lexer.c:2367:5
#3 0x559a32b707db in scanner_check_variables /jerryscript/jerry-core/parser/js/js-scanner-util.c:2279:5
#4 0x559a32b67485 in parser_parse_source /jerryscript/jerry-core/parser/js/js-parser.c:2274:9
#5 0x559a32b65924 in parser_parse_script /jerryscript/jerry-core/parser/js/js-parser.c:3332:38
#6 0x559a32ac2f38 in jerry_parse_common /jerryscript/jerry-core/api/jerryscript.c:418:21
#7 0x559a32ac2d34 in jerry_parse /jerryscript/jerry-core/api/jerryscript.c:486:10
#8 0x559a32c2876f in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:52:26
#9 0x559a32c2892f in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63:26
#10 0x559a32abe5b2 in main /jerryscript/jerry-main/main-desktop.c:156:20
#11 0x7f10bf46dd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#12 0x7f10bf46de3f in __libc_start_main csu/../csu/libc-start.c:392:3
#13 0x559a329fe424 in _start (/jerryscript/0323re/bin/jerry+0x41424) (BuildId: efa40b4121fb9ed9276f89fc661eef85c730ab65)
0x60300000005c is located 0 bytes to the right of 28-byte region [0x603000000040,0x60300000005c)
allocated by thread T0 here:
#0 0x559a32a83e4e in __interceptor_malloc (/jerryscript/0323re/bin/jerry+0xc6e4e) (BuildId: efa40b4121fb9ed9276f89fc661eef85c730ab65)
#1 0x559a32c297f6 in jerry_port_source_read /jerryscript/jerry-port/common/jerry-port-fs.c:72:45
#2 0x559a32c2866d in jerryx_source_parse_script /jerryscript/jerry-ext/util/sources.c:33:28
#3 0x559a32c2892f in jerryx_source_exec_script /jerryscript/jerry-ext/util/sources.c:63:26
SUMMARY: AddressSanitizer: heap-buffer-overflow /jerryscript/jerry-core/parser/js/js-lexer.c:2083:9 in lexer_convert_ident_to_cesu8
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 00[04]fa fa fa fa
0x0c067fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2144424==ABORTINGDebug:
ICE: Assertion '(byte >= LIT_CHAR_LOWERCASE_A && byte <= LIT_CHAR_LOWERCASE_F) || (byte >= LIT_CHAR_UPPERCASE_A && byte <= LIT_CHAR_UPPERCASE_F)' failed at /jerryscript/jerry-core/parser/js/js-lexer.c(lexer_unchecked_hex_to_character):178.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted