/ View Ticket
Ticket UUID: 870f496bb8a707491df8026e2ff78b33a5cf44c1
Title: Use after free in Jsi_ObjFree
Status: Closed Type: Code_Defect
Severity: Critical Priority: Immediate
Subsystem: Javascript Resolution: Fixed
Last Modified: 2018-09-07 02:03:59
Version Found In: 2.4.77 2.0477
User Comments:
mdominiak added on 2018-09-06 08:44:44:
./jsish testcase

Where testcase can be generated by:
cat compressed | base64 -d | xz -d > testcase

With compressed being

(Sorry for the complicated reproduction procedure)

Segmentation fault

Stack trace (from valgrind):
==8132== Invalid read of size 1
==8132==    at 0x517B64: Jsi_ObjFree (jsiObj.c:230)
==8132==    by 0x51808F: Jsi_ObjDecrRefCount (jsiObj.c:344)
==8132==    by 0x4472E8: ValueFree (jsiValue.c:171)
==8132==    by 0x4472E8: Jsi_ValueFree (jsiValue.c:195)
==8132==    by 0x44754F: Jsi_DecrRefCount (jsiValue.c:50)
==8132==    by 0x46770F: jsiInterpDelete (jsiInterp.c:1735)
==8132==    by 0x4264C3: main (main.c:45)
==8132==  Address 0x5d2b2a9 is 73 bytes inside a block of size 96 free'd
==8132==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8132==    by 0x45A6F3: regExpFree (jsiInterp.c:502)
==8132==    by 0x4C611B: Jsi_HashClear (jsiHash.c:507)
==8132==    by 0x4C63A0: Jsi_HashDelete (jsiHash.c:525)
==8132==    by 0x467063: jsiInterpDelete (jsiInterp.c:1693)
==8132==    by 0x4264C3: main (main.c:45)
==8132==  Block was alloc'd at
==8132==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8132==    by 0x456AAE: Jsi_RegExpNew (jsiRegexp.c:77)
==8132==    by 0x432AE3: jsi_yylex (jsiLexer.c:444)
==8132==    by 0x436A56: yylex (jsiLexer.c:465)
==8132==    by 0x629882: yyparse (parser.c:2249)
==8132==    by 0x664B57: jsiNewParser (jsiEval.c:50)
==8132==    by 0x664B57: jsi_evalStrFile (jsiEval.c:2319)
==8132==    by 0x471EF1: Jsi_Main (jsiInterp.c:794)
==8132==    by 0x426479: main (main.c:43)

pcmacdon added on 2018-09-07 02:03:59:
Fixed in Release "2.4.78" [46cadd145a85522367a57c17f91dc74b7dadbfbb].
I see your point: the bug manifests even with "B,/e/"
The fix: release the regex cache after clean up interp return value.
Another good find, thanks.