ecma-helpers-string.c@1221 has an out-of-bounds write (buffer overflow) #2712
Description
Reproducing step:
- I use my Stensal SDK (https://stensal.com), it's free for open source project
- build jerryscript with stensal-c
- Run ./build/tests/unit-test-api-strings
The following is what I got. Notes safe_memcpy is a safe version of memcpy that does array bounds checking. You can treat it like memcpy. I think the fixes is to make sure the length is passed correctly.
DTS_MSG: Stensal DTS detected a fatal program error!
DTS_MSG: Continuing the execution will cause unexpected behaviors, abort!
DTS_MSG: OOB Write:writing 15 bytes at 0xffac10dc will corrupt the adjacent data.
DTS_MSG: Diagnostic information:
- The object to-be-written (start:0xffac10dc, size:5 bytes) is allocated at
-
file:/home/sbuilder/workspace/jerryscript/tests/unit-core/test-api-strings.c::213, 8 - 0xffac10dc 0xffac10e0
- +------------------------+
- |the object to-be-written|......
- +------------------------+
- ^~~~~~~~~~
- the write starts at the object begin.
- Stack trace (most recent call first):
-[1] file:/home/nwang/acore/musl/src/malloc/safe_memcpy.c::18, 2
-[2] file:/home/sbuilder/workspace/jerryscript/jerry-core/ecma/base/ecma-helpers-string.c::1221, 5
-[3] file:/home/sbuilder/workspace/jerryscript/jerry-core/api/jerry.c::1758, 10
-[4] file:/home/sbuilder/workspace/jerryscript/tests/unit-core/test-api-strings.c::241, 8
-[5] file:/home/nwang/acore/musl/src/env/__libc_start_main.c::180, 11