/ View Ticket
DEMO | DOWNLOAD | DEPLOY | SEARCH
Login
Ticket UUID: 2adeb066894695b38309d92771aea11c8e0a56a8
Title: Nullpointer dereference in jsi_LogMsg
Status: Closed Type: Code_Defect
Severity: Critical Priority: Immediate
Subsystem: Javascript Resolution: Fixed
Last Modified: 2018-08-20 16:28:54
Version Found In: 2.4.67 (a37feb7e411cbbca)
User Comments:
anonymous added on 2018-08-16 10:22:07:
Testcase:
x=x=!x

Result:
Crash due to segmentation fault.

Stacktrace (from valgrind):
==26252== Invalid read of size 1
==26252==    at 0x57CCCC0: vfprintf (vfprintf.c:1632)
==26252==    by 0x57CDEF0: buffered_vfprintf (vfprintf.c:2320)
==26252==    by 0x57CB32C: vfprintf (vfprintf.c:1293)
==26252==    by 0x4723B1: Jsi_LogMsg (jsiUtils.c:196)
==26252==    by 0x658FAD: jsi_ValueAssign (jsiEval.c:174)
==26252==    by 0x658FAD: _jsi_evalcode (jsiEval.c:1277)
==26252==    by 0x65B978: jsi_evalcode (jsiEval.c:2085)
==26252==    by 0x65DA39: jsi_evalStrFile (jsiEval.c:2336)
==26252==    by 0x4776B3: Jsi_Interactive (jsiUtils.c:923)
==26252==    by 0x46D31C: Jsi_Main (jsiInterp.c:661)
==26252==    by 0x426449: main (main.c:43)
==26252==  Address 0x1 is not stack'd, malloc'd or (recently) free'd

Note that this crash seems to work only when input is passed to the interpreter as standard input.
Supplying a file with the mentioned code doesn't trigger the bug.

pcmacdon added on 2018-08-19 15:27:26:
Fixed in 2.4.68.
The lookup-failed handling is a bit more convoluted than I'd like.  But another good find.

pcmacdon added on 2018-08-19 15:30:21:
Actually fixed in 2.4.69