njs_process_script_fuzzer: ASAN error in njs_vsprintf #918
Description
Describe the bug
We found a crashing test case when running the njs_process_script_fuzzer with ASAN.
- The bug is reproducible with the latest version of njs.
- I minimized the code to the smallest possible to reproduce the issue.
To reproduce
Steps to reproduce the behavior:
- JS script
var sym = Symbol();
obj[sym];
var obj = { [sym]: "" };Expected behavior
Should not trigger ASAN error.
Actual behavior
=================================================================
==3557937==ERROR: AddressSanitizer: unknown-crash on address 0x000100000000 at pc 0x0000004a39c1 bp 0x7ffd8a654230 sp 0x7ffd8a653a00
READ of size 2027 at 0x000100000000 thread T0
#0 0x4a39c0 in __asan_memcpy /src/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#1 0x51cb37 in njs_vsprintf /src/njs/src/njs_sprintf.c:430:19
#2 0x64d603 in njs_throw_error_va /src/njs/src/njs_error.c:60:9
#3 0x64d603 in njs_throw_error /src/njs/src/njs_error.c:72:5
#4 0x523766 in njs_property_query /src/njs/src/njs_value.c:614:13
#5 0x520c69 in njs_value_property /src/njs/src/njs_value.c:1070:11
#6 0x54561b in njs_vmcode_interpreter /src/njs/src/njs_vmcode.c:308:15
#7 0x52e4f2 in njs_vm_start /src/njs/src/njs_vm.c:698:11
#8 0x512615 in njs_engine_njs_eval /src/njs/external/njs_shell.c:1387:16
#9 0x512165 in njs_process_script /src/njs/external/njs_shell.c:3340:11
#10 0x510eed in njs_main /src/njs/external/njs_shell.c:454:15
#11 0x510eed in LLVMFuzzerTestOneInput /src/njs/external/njs_shell.c:869:12
#12 0x4efe6c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /tmp/libfuzzer/./FuzzerLoop.cpp:532:15
#13 0x4e1dc5 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /tmp/libfuzzer/./FuzzerDriver.cpp:284:6
#14 0x4e6a71 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /tmp/libfuzzer/./FuzzerDriver.cpp:713:9
#15 0x4e1a92 in main /tmp/libfuzzer/./FuzzerMain.cpp:19:10