/ View Ticket
DEMO | DOWNLOAD | DEPLOY | SEARCH
Login
Ticket UUID: c253f6d80c9018d841e857b69e7ad6436ed95cb9
Title: Memory corruption in _jsi_evalcode
Status: Closed Type: Code_Defect
Severity: Critical Priority: Immediate
Subsystem: Javascript Resolution: Fixed
Last Modified: 2018-08-20 16:27:14
Version Found In: 2.4.70 2.047
User Comments:
anonymous added on 2018-08-20 13:43:30:
Testcase:
./jsish ./testcase

The testcase contains the following (this is an output of `xxd testcase`, you can revert it back to actual testcase using `xxd -r`):

00000000: 6866 3d3d 3d4c 2c4c 4c4c 2b4c 4966 4c2b  hf===L,LLL+LIfL+
00000010: 3d4c 2b3d 4c2b 3d4c 2b4c 574c 4c2b 3d4c  =L+=L+=L+LWLL+=L
00000020: 2c5f 4c4c 2b3d 4c49 664c 2b3d 4c2b 3d4c  ,_LL+=LIfL+=L+=L
00000030: 2b3d 4c2b 4c6b 4c2b 3d4c 492b 3d4c 243d  +=L+LkL+=LI+=L$=
00000040: 4c2b 4c6b 4c2b 3d4c 4966 4c2b 3d4c 4c4c  L+LkL+=LIfL+=LLL
00000050: 2b3d 4c2c 4c4c 4c2b 3d4c 6b4c 4c20 3d4c  +=L,LLL+=LkLL =L
00000060: 2e66 4c2b 3d6b 4c20 3d4c 2e66 4c2b 3d53  .fL+=kL =L.fL+=S
00000070: 2b3d 6c2b 2d4c 2b3d 4c4c 4c4f 4c4c 4c4c  +=l+-L+=LLLOLLLL
00000080: 4c4c 4c2b 274c 4c80 4cff 2c4c 6d4c 4c4c  LLL+'LL.L.,LmLLL
00000090: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c49  LLLLLLLLLLLLLLLI
000000a0: 664c 2b3d 4c4c 2b3d 4c2c 4c4c 4c2b 3d61  fL+=LL+=L,LLL+=a
000000b0: 4966 4c2b 3d4c 2b3d 4c2b 3d4c 2b4c 6b4c  IfL+=L+=L+=L+LkL
000000c0: 303d 4c2e 664c 2b3d 4c2b 3d4c 492f 3d4c  0=L.fL+=L+=LI/=L
000000d0: 2b3d 4c2b 4c6b 4c2b 3d4c 4966 4c2b 3d4c  +=L+LkL+=LIfL+=L
000000e0: 4c4c 2b3d 4c2c 4c4c 4c2b 3d4c 6b4c 4c20  LL+=L,LLL+=LkLL 
000000f0: 3d4c 2e66 4c2b 3d6d 4c20 3d4c 2e66 4c2b  =L.fL+=mL =L.fL+
00000100: 3d53 2b3d 6c2b 2d4c 2b64 4c4c 4c4f 4c4c  =S+=l+-L+dLLLOLL
00000110: 4c4c 4c4c 4c2b 274c 4c40 4c4c 4c4f 4c4c  LLLLL+'LL@LLLOLL
00000120: 4c4c 4cff 2c4c 4e4c 4c4c 4c4c 4c4c 4c4c  LLL.,LNLLLLLLLLL
00000130: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
00000140: 4c4c 4c49 664c 2b3d 4c4c 2b3d 4c2c 4c4c  LLLIfL+=LL+=L,LL
00000150: 4c2b 3d61 4966 4c2b 3d4c 2b3d 4c2b 3d4c  L+=aIfL+=L+=L+=L
00000160: 2b4c 6b4c 303d 4c2e 664c 2b3d 4c2b 3d4c  +LkL0=L.fL+=L+=L
00000170: 492b 3d4c 2b3d 4c2b 4c57 4c2b 3d4c 4966  I+=L+=L+LWL+=LIf
00000180: 4c2b 3d49 4c4c 2b3d 4c2c 4c4c 4c2b 3d4c  L+=ILL+=L,LLL+=L
00000190: 6b4c 4c20 3d4c 2e66 4c2b 3d6b 4c20 3d4c  kLL =L.fL+=kL =L
000001a0: 2e66 4c2b 3d53 2b3d 6c2b 2d4c 2b3d 4c4c  .fL+=S+=l+-L+=LL
000001b0: 4c4f 4c4c 4c4c 4c3d 4c2c 4c4c 4c2b 4c49  LOLLLLL=L,LLL+LI
000001c0: 664c 2b3d 4c2b 3d4c 2b3d 4c2b 4c57 4c4c  fL+=L+=L+=L+LWLL
000001d0: 2b3d 4c2c 5f4c 4c2b 3d4c 4966 4c2b 3d4c  +=L,_LL+=LIfL+=L
000001e0: 2b3d 4c2b 3d4c 2b4c 6b4c 2b3d 4c49 2b3d  +=L+=L+LkL+=LI+=
000001f0: 4c24 3d4c 2b4c 6b4c 2b3d 4c49 664c 2b3d  L$=L+LkL+=LIfL+=
00000200: 4c4c 4c2b 3d4c 2c4c 4c4c 2b3d 4c6b 4c4c  LLL+=L,LLL+=LkLL
00000210: 203d 4c2e 664c 2b3d 6b4c 203d 4c2e 664c   =L.fL+=kL =L.fL
00000220: 2b3d 532b 3d6c 2b2d 4c2b 3d4c 4c4c 4f4c  +=S+=l+-L+=LLLOL
00000230: 4c4c 4c4c 4c4c 2b27 4c4c 804c ff2c 4c6d  LLLLLL+'LL.L.,Lm
00000240: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
00000250: 4c4c 4966 4c2b 3d4c 4c2b 3d4c 2c4c 4c4c  LLIfL+=LL+=L,LLL
00000260: 2b3d 6149 664c 2b3d 4c2b 3d4c 2b3d 4c2b  +=aIfL+=L+=L+=L+
00000270: 4c6b 4c30 3d4c 2e66 4c2b 3d4c 2b3d 4c49  LkL0=L.fL+=L+=LI
00000280: 2f3d 4c2b 3d4c 2b4c 6b4c 2b3d 4c49 664c  /=L+=L+LkL+=LIfL
00000290: 2b3d 4c4c 4c2b 3d4c 2c4c 4c4c 2b3d 4c6b  +=LLL+=L,LLL+=Lk
000002a0: 4c4c 203d 4c2e 664c 2b3d 6d4c 203d 4c2e  LL =L.fL+=mL =L.
000002b0: 664c 2b3d 532b 3d6c 2b2d 4c2b 644c 4c4c  fL+=S+=l+-L+dLLL
000002c0: 4f4c 694c 4c4c 4c4c 2b27 4c4c 404c 4c4c  OLiLLLLL+'LL@LLL
000002d0: 4f4c 4c4c 4c4c ff2c 4c4e 4c4c 4c4c 4c4c  OLLLLL.,LNLLLLLL
000002e0: 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c 4c4c  LLLLLLLLLLLLLLLL
000002f0: 4c4c 4c4c 4c4c 4966 4c2b 3d4c 4c2b 3d4c  LLLLLLIfL+=LL+=L
00000300: 2c4c 4c4c 2b3d 6149 664c 2b3d 4c2b 3d4c  ,LLL+=aIfL+=L+=L
00000310: 2b3d 4c2b 4c6b 4c30 3d4c 2e66 4c2b 3d4c  +=L+LkL0=L.fL+=L
00000320: 2b3d 4c49 2b3d 4c2b 3d4c 2b4c 574c 2b3d  +=LI+=L+=L+LWL+=
00000330: 4c49 664c 2b3d 494c 4c2b 3d4c 2c4c 4c4c  LIfL+=ILL+=L,LLL
00000340: 2b3d 4c6b 4c4c 203d 4c2e 664c 2b3d 6b4c  +=LkLL =L.fL+=kL
00000350: 203d 4c2e 664c 2b3d 532b 3d6c 2b2d 4c2b   =L.fL+=S+=l+-L+
00000360: 3d4c 4c4c 4f4c 4c4c 4c4c 4c4c 2b27 4c4c  =LLLOLLLLLLL+'LL
00000370: 404c 4c4c 4f4c 4c4c 4c4c 2b2b 3d4c 49ff  @LLLOLLLLL++=LI.
00000380: 2c4c 4e4c 4c4c 4c4c 4c4c 4c3c 4c4c 2b27  ,LNLLLLLLLL<LL+'
00000390: 4c4c 404c 4c4c 4f53 4c4c 4c4c 2b2b 3d4c  LL@LLLOSLLLL++=L
000003a0: 49ff 2c4c 4e4c 4c4c 4c4c 4c4c 4c3c 664c  I.,LNLLLLLLLL<fL
000003b0: 2b3d 4c4c 2b3d 4c2c 4c69 4c2b 3d61 4966  +=LL+=L,LiL+=aIf
000003c0: 4c2b 3d4c 2b61 4966 4c2b 3d4c 473d 4c2b  L+=L+aIfL+=LG=L+
000003d0: 4b4c 2b4c 6b4c 203d 4c2e 664c 2b3d 0010  KL+LkL =L.fL+=..
000003e0: 3d01 004c 0a39                           =..L.9

Result:
Crash due to segmentation fault.

Stacktrace (from valgrind):
==28569== Invalid write of size 1
==28569==    at 0x653D62: _jsi_evalcode (jsiEval.c:1428)
==28569==    by 0x65CA38: jsi_evalcode (jsiEval.c:2085)
==28569==    by 0x65EAF9: jsi_evalStrFile (jsiEval.c:2336)
==28569==    by 0x46EF09: Jsi_Main (jsiInterp.c:778)
==28569==    by 0x426449: main (main.c:43)
==28569==  Address 0x88a043e8 is not stack'd, malloc'd or (recently) free'd

pcmacdon added on 2018-08-20 16:27:14:
Fixed in checkin [357868265a]. Errors in Lexer where not properly propagating up to the parser.