heap-buffer-overflow duk_heap_stringcache.c:250:7 in duk__strcache_scan_char2byte_wtf8_backwards_2

[7331akasokoan]

testcase

{}['aaaaaaaaaaaaaaaaaaaaaaaaaaaa🇺🇸 🇦🇫🇦🇲🇸'].pop().lastIndexOf('\uDA91Œ„´‰ˇÁ¨ˆØ∏”’');

Reproducer:

echo -ne "e31bJ2FhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWHwn4e68J+HuCDwn4em8J+Hq/Cfh6bwn4ey8J+HuCddLnBvcCgpLmxhc3RJbmRleE9mKCdcdURBOTHFkuKAnsK04oCwy4fDgcKoy4bDmOKIj+KAneKAmScpOwo=" | base64 -d > poc.js

ASAN

==1485==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800000ca9f at pc 0x562921a1881d bp 0x7ffdf5f4ed90 sp 0x7ffdf5f4ed88
READ of size 1 at 0x60800000ca9f thread T0
    #0 0x562921a1881c in duk__strcache_scan_char2byte_wtf8_backwards_2 /home/xxx/duktape/duk_heap_stringcache.c:250:7
    #1 0x562921a16efe in duk__strcache_scan_char2byte_wtf8_backwards /home/xxx/duktape/duk_heap_stringcache.c:283:2
    #2 0x562921a15fe8 in duk__strcache_scan_char2byte_wtf8_cached /home/xxx/duktape/duk_heap_stringcache.c:395:5
    #3 0x562921a13cb3 in duk_strcache_scan_char2byte_wtf8 /home/xxx/duktape/duk_heap_stringcache.c:497:3
    #4 0x5629217cade5 in duk_push_wtf8_substring_hstring /home/xxx/duktape/duk_unicode_wtf8.c:542:2
    #5 0x562921ac9083 in duk__unicode_wtf8_search_backwards_reference /home/xxx/duktape/duk_unicode_wtf8.c:799:12
    #6 0x562921ac8d97 in duk__unicode_wtf8_search_backwards_1 /home/xxx/duktape/duk_unicode_wtf8.c:901:10
    #7 0x562921ac8b0f in duk_unicode_wtf8_search_backwards /home/xxx/duktape/duk_unicode_wtf8.c:918:9
    #8 0x562921ac7fd4 in duk__str_search_shared /home/xxx/duktape/duk_bi_string.c:45:15
    #9 0x562921a56c8f in duk_bi_string_prototype_indexof_shared /home/xxx/duktape/duk_bi_string.c:432:9
    #10 0x562921ad5d56 in duk__handle_call_raw /home/xxx/duktape/duk_js_call.c:2143:9
    #11 0x5629216e020a in duk_handle_call_unprotected /home/xxx/duktape/duk_js_call.c:2293:9
    #12 0x562921bfb4ed in duk__executor_handle_call /home/xxx/duktape/duk_js_executor.c:2721:20
    #13 0x562921bdb838 in duk__js_execute_bytecode_inner /home/xxx/duktape/duk_js_executor.c:4923:8
    #14 0x562921ae9d18 in duk_js_execute_bytecode /home/xxx/duktape/duk_js_executor.c:3009:4
    #15 0x562921ad559f in duk__handle_call_raw /home/xxx/duktape/duk_js_call.c:2121:3
    #16 0x5629216e020a in duk_handle_call_unprotected /home/xxx/duktape/duk_js_call.c:2293:9
    #17 0x5629216e059d in duk_call_method /home/xxx/duktape/duk_api_call.c:152:2
    #18 0x562921c7aa19 in wrapped_compile_execute /home/xxx/duktape/examples/cmdline/duk_cmdline.c:304:2
    #19 0x562921c17e10 in duk__handle_safe_call_inner /home/xxx/duktape/duk_js_call.c:2346:7
    #20 0x5629216e5b8e in duk_handle_safe_call /home/xxx/duktape/duk_js_call.c:2592:3
    #21 0x5629216e29db in duk_safe_call /home/xxx/duktape/duk_api_call.c:320:7
    #22 0x562921c762aa in handle_fh /home/xxx/duktape/examples/cmdline/duk_cmdline.c:637:7
    #23 0x562921c758c8 in handle_file /home/xxx/duktape/examples/cmdline/duk_cmdline.c:696:11
    #24 0x562921c72eb0 in main /home/xxx/duktape/examples/cmdline/duk_cmdline.c:1656:7
    #25 0x7fa98fd67d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #26 0x7fa98fd67e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #27 0x5629215f6554 in _start (/home/xxx/duktape/build/duk-clang-asan+0x2d554)