Skip to content

heap-buffer-overflow in nxt_utf8_encode (nxt_utf8.c:32) #162

New issue
New issue
Closed
Closed
heap-buffer-overflow in nxt_utf8_encode (nxt_utf8.c:32)#162
Labels
bugflufffuzzer
@wrauner

Description

@wrauner
wrauner
opened on May 20, 2019

NJS version

changeset:   965:e0fdef4eb478
tag:         tip
user:        Dmitry Volyntsev <xeioex@nginx.com>
date:        Thu May 16 15:20:31 2019 +0300
summary:     Fixed uninitialized-memory-access in Object.defineProperties().

JavaScript testcase:

var v0="@褀+Qh"
while (((((((((((((v0)>>>v0.toUpperCase())+() => {
})+(((((((v0)>>>v0.toUpperCase())+() => {
})+(ReferenceError))+(0>>>0))+0)+0))+0)+0)+0)+0)+0)+0)+0)+0)) {
}

JavaScript testcase (b64):

dmFyIHYwPSIAAEDopIAAACtRaAAAAAAiCndoaWxlICgoKCgoKCgoKCgoKCh2MCk+Pj52MC50b1VwcGVyQ2FzZSgpKSsoKSA9PiB7Cn0pKygoKCgoKCh2MCk+Pj52MC50b1VwcGVyQ2FzZSgpKSsoKSA9PiB7Cn0pKyhSZWZlcmVuY2VFcnJvcikpKygwPj4+MCkpKzApKzApKSswKSswKSswKSswKSswKSswKSswKSswKSkgewp9Cgo=

Valgrind output:

==5361== Memcheck, a memory error detector
==5361== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==5361== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==5361== Command: ./build/njs /home/fuzz/encode.js
==5361== 
==5361== Invalid write of size 1
==5361==    at 0x242704: nxt_utf8_encode (nxt_utf8.c:32)
==5361==    by 0x155F04: njs_string_prototype_to_upper_case (njs_string.c:2243)
==5361==    by 0x1CF36B: njs_function_native_call (njs_function.c:587)
==5361==    by 0x130E2D: njs_vmcode_function_call (njs_vm.c:2061)
==5361==    by 0x12BF6F: njs_vmcode_interpreter (njs_vm.c:159)
==5361==    by 0x128E0B: njs_vm_start (njs.c:594)
==5361==    by 0x1179E4: njs_process_script (njs_shell.c:770)
==5361==    by 0x1123C4: njs_process_file (njs_shell.c:619)
==5361==    by 0x1123C4: main (njs_shell.c:281)
==5361==  Address 0x5efcb00 is 0 bytes after a block of size 8,192 alloc'd
==5361==    at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5361==    by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5361==    by 0x24923C: nxt_memalign (nxt_malloc.c:26)
==5361==    by 0x11E52F: nxt_mp_alloc_cluster (nxt_mp.c:549)
==5361==    by 0x11E52F: nxt_mp_alloc_page (nxt_mp.c:514)
==5361==    by 0x11F12C: nxt_mp_alloc_small (nxt_mp.c:426)
==5361==    by 0x1421F9: njs_string_alloc (njs_string.c:218)
==5361==    by 0x12B1B1: njs_string_concat (njs_vm.c:1205)
==5361==    by 0x136EC1: njs_vmcode_addition (njs_vm.c:1170)
==5361==    by 0x12BF6F: njs_vmcode_interpreter (njs_vm.c:159)
==5361==    by 0x128E0B: njs_vm_start (njs.c:594)
==5361==    by 0x1179E4: njs_process_script (njs_shell.c:770)
==5361==    by 0x1123C4: njs_process_file (njs_shell.c:619)
==5361==    by 0x1123C4: main (njs_shell.c:281)

Found by fluff

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugflufffuzzer

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions