Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack-overflow in duk__try_push_vsprintf in duktape/duk_api_stack.c:4800:8 #2550

Open
gandalf4a opened this issue Oct 10, 2023 · 0 comments
Open

stack-overflow in duk__try_push_vsprintf in duktape/duk_api_stack.c:4800:8 #2550

gandalf4a opened this issue Oct 10, 2023 · 0 comments

Comments

@gandalf4a
Copy link

Version

$ git show
commit 47eedc5d53cdab72c5933148496b91142d5f0940 (HEAD -> master, origin/master, origin/HEAD)
Merge: f203a13e 7f66f09f
Author: Sami Vaarala <sami.vaarala@iki.fi>
Date:   Sun Sep 10 16:07:39 2023 +0300

Platform

$ uname -a
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Asan

duk_hobject_lookup.c:20:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_lookup.c:20:49 in 
duk_hobject_misc.c:124:70: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:124:70 in 
duk_hobject_misc.c:103:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:103:49 in 
duk_hobject_misc.c:104:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:104:49 in 
duk_hobject_resize.c:400:48: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_resize.c:400:48 in 
duk_hobject_resize.c:401:46: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_resize.c:401:46 in 
duk_hobject_misc.c:266:50: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:266:50 in 
duk_hobject_misc.c:267:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:267:49 in 
duk_heap_markandsweep.c:98:15: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_heap_markandsweep.c:98:15 in 
duk_util_bufwriter.c:27:16: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_util_bufwriter.c:27:16 in 
duk_util_bufwriter.c:29:22: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_util_bufwriter.c:29:22 in 
duk_hobject_lookup.c:105:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_lookup.c:105:49 in 
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==42314==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffe08e19fa8 (pc 0x7fb2fd475048 bp 0x7ffe08e1a520 sp 0x7ffe08e19fa0 T42314)
    #0 0x7fb2fd475048 in __vfprintf_internal stdio-common/./stdio-common/vfprintf-internal.c:1180:1
    #1 0x7fb2fd488499 in __vsnprintf_internal libio/./libio/vsnprintf.c:114:9
    #2 0x51afd5 in duk__try_push_vsprintf /home/user/fuzz/duktape/duk_api_stack.c:4800:8
    #3 0x51a4f9 in duk_push_vsprintf /home/user/fuzz/duktape/duk_api_stack.c:4855:9
    #4 0x52f4bc in duk_push_error_object_va_raw /home/user/fuzz/duktape/duk_api_stack.c:5612:3
    #5 0x531383 in duk_push_error_object_raw /home/user/fuzz/duktape/duk_api_stack.c:5644:8
    #6 0x55c41b in duk_err_create_and_throw /home/user/fuzz/duktape/duk_error_throw.c:97:3
    #7 0x42bbc9 in duk_err_handle_error /home/user/fuzz/duktape/duk_error_macros.c:30:2
    #8 0x64e633 in duk_err_error_internal /home/user/fuzz/duktape/duk_error_macros.c:82:2
    #9 0x720295 in duk__json_stringify_fast_value /home/user/fuzz/duktape/duk_bi_json.c:2843:2
    #10 0x71c93e in duk__json_stringify_fast_value /home/user/fuzz/duktape/duk_bi_json.c:2589:9
    #11 0x71234e in duk__json_stringify_fast /home/user/fuzz/duktape/duk_bi_json.c:2858:6
    #12 0xa3925d in duk__handle_safe_call_inner /home/user/fuzz/duktape/duk_js_call.c:2346:7
    #13 0x448444 in duk_handle_safe_call /home/user/fuzz/duktape/duk_js_call.c:2592:3
    #14 0x445172 in duk_safe_call /home/user/fuzz/duktape/duk_api_call.c:320:7
    #15 0x4656ca in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3220:14
    #16 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #17 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #18 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #19 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #20 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #21 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #22 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #23 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #24 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #25 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #26 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #27 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #28 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #29 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #30 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #31 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #32 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #33 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #34 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #35 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #36 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #37 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #38 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #39 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #40 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #41 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #42 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #43 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #44 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #45 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #46 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #47 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #48 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #49 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #50 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #51 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #52 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #53 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #54 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #55 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #56 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #57 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #58 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #59 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #60 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #61 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #62 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #63 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #64 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #65 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #66 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #67 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #68 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #69 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #70 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #71 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #72 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #73 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #74 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #75 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #76 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #77 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #78 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #79 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #80 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #81 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #82 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #83 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #84 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #85 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #86 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #87 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #88 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #89 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #90 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #91 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #92 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #93 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #94 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #95 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #96 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #97 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #98 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #99 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #100 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #101 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #102 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #103 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #104 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #105 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #106 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #107 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #108 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #109 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #110 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #111 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #112 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #113 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #114 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #115 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #116 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #117 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #118 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #119 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #120 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #121 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #122 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #123 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #124 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #125 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #126 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #127 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #128 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #129 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #130 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #131 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #132 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #133 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #134 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #135 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #136 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #137 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #138 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #139 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #140 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #141 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #142 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #143 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #144 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #145 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #146 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #147 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #148 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #149 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #150 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #151 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #152 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #153 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #154 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #155 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #156 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #157 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #158 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #159 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #160 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #161 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #162 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #163 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #164 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #165 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #166 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #167 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #168 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #169 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #170 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #171 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #172 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #173 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #174 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #175 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #176 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #177 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #178 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #179 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #180 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #181 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #182 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #183 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #184 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #185 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #186 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #187 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #188 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #189 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #190 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #191 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #192 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #193 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #194 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #195 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #196 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #197 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #198 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #199 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #200 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #201 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #202 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #203 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #204 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #205 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #206 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #207 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #208 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #209 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #210 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #211 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #212 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #213 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #214 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #215 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #216 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #217 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #218 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #219 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #220 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #221 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #222 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #223 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #224 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #225 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #226 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #227 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #228 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #229 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #230 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #231 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #232 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #233 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #234 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #235 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #236 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #237 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #238 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #239 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #240 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #241 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #242 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #243 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7
    #244 0x712b39 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2094:9
    #245 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #246 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #247 0x73a13c in duk__json_enc_object /home/user/fuzz/duktape/duk_bi_json.c:1983:7
    #248 0x715449 in duk__json_enc_value /home/user/fuzz/duktape/duk_bi_json.c:2272:4
    #249 0x466821 in duk_bi_json_stringify_helper /home/user/fuzz/duktape/duk_bi_json.c:3269:6
    #250 0x7c71cb in duk_bi_json_object_stringify /home/user/fuzz/duktape/duk_bi_json.c:3320:2
    #251 0x857ee3 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2143:9
    #252 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #253 0xa11aaf in duk__executor_handle_call /home/user/fuzz/duktape/duk_js_executor.c:2721:20
    #254 0x9e9f3b in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4923:8
    #255 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #256 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #257 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #258 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #259 0xa5f1e7 in duk__get_own_prop_found_getter_helper /home/user/fuzz/duktape/duk_prop_get.c:265:3
    #260 0xa5f1e7 in duk__get_own_prop_found_getter_withkey /home/user/fuzz/duktape/duk_prop_get.c:295:9
    #261 0xa5d755 in duk__get_own_prop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:347:11
    #262 0xa60357 in duk__get_ownprop_strkey_ordinary /home/user/fuzz/duktape/duk_prop_get.c:1097:9
    #263 0xa56508 in duk__get_own_prop_strkey_htypejump /home/user/fuzz/duktape/duk_prop_get.c:1205:9
    #264 0xa6b442 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1275:9
    #265 0xa6b442 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #266 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #267 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #268 0x4a2a41 in duk_prop_getvalue_outidx /home/user/fuzz/duktape/duk_prop_get.c:1867:7
    #269 0x73879c in duk_prop_getvalue_push /home/user/fuzz/duktape/duk_prop_get.c:1889:7

SUMMARY: UndefinedBehaviorSanitizer: stack-overflow stdio-common/./stdio-common/vfprintf-internal.c:1180:1 in __vfprintf_internal
==42314==ABORTING

Reproduce

./duk pocfile

POC File

var o4 = {
    get b() {
        JSON[9007199254740990] = this;
        return JSON["stringify"](JSON);
    },
};
CBOR.encode(o4);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// 
// STDOUT:
// 
// ARGS: /home/user/fuzz/duktape/build/duk-fuzzilli --reprl
// EXECUTION TIME: 127ms

Credit

Gandalf4a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gandalf4a