Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

stack-overflow in duktape/duk_hobject_props.c:272 in duk__hobject_get_entry_object_stridx #2553

Open
gandalf4a opened this issue Oct 10, 2023 · 0 comments
Open

stack-overflow in duktape/duk_hobject_props.c:272 in duk__hobject_get_entry_object_stridx #2553

gandalf4a opened this issue Oct 10, 2023 · 0 comments

Comments

@gandalf4a
Copy link

Version​

$ git show​
commit 47eedc5d53cdab72c5933148496b91142d5f0940 (HEAD -> master, origin/master, origin/HEAD)​
Merge: f203a13e 7f66f09f​
Author: Sami Vaarala <sami.vaarala@iki.fi>​
Date:   Sun Sep 10 16:07:39 2023 +0300​
```​
​
# Platform​
```​
$ uname -a​
Linux user-GE40-2PC-Dragon-Eyes 6.2.0-33-generic #33~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Sep  7 10:33:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux​
```​
​
# Asan​
```​
duk_hobject_lookup.c:20:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_lookup.c:20:49 in 
duk_hobject_misc.c:124:70: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:124:70 in 
duk_hobject_misc.c:103:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:103:49 in 
duk_hobject_misc.c:104:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:104:49 in 
duk_hobject_resize.c:400:48: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_resize.c:400:48 in 
duk_hobject_resize.c:401:46: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_resize.c:401:46 in 
duk_hobject_misc.c:266:50: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:266:50 in 
duk_hobject_misc.c:267:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_misc.c:267:49 in 
duk_heap_markandsweep.c:98:15: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_heap_markandsweep.c:98:15 in 
duk_util_bufwriter.c:27:16: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_util_bufwriter.c:27:16 in 
duk_util_bufwriter.c:29:22: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_util_bufwriter.c:29:22 in 
duk_hobject_lookup.c:105:49: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_lookup.c:105:49 in 
duk_hobject_resize.c:29:68: runtime error: applying zero offset to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior duk_hobject_resize.c:29:68 in 
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==273474==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7fff0c8bcfe8 (pc 0x000000565c2d bp 0x7fff0c8bd060 sp 0x7fff0c8bcff0 T273474)
    #0 0x565c2d in duk__hobject_get_entry_object_stridx /home/user/fuzz/duktape/duk_hobject_props.c:272
    #1 0x565bf5 in duk_hobject_get_varmap /home/user/fuzz/duktape/duk_hobject_props.c:299:6
    #2 0x59604f in duk__getid_activation_regs /home/user/fuzz/duktape/duk_js_var.c:850:11
    #3 0x593506 in duk__get_identifier_reference /home/user/fuzz/duktape/duk_js_var.c:919:7
    #4 0x592864 in duk__getvar_helper /home/user/fuzz/duktape/duk_js_var.c:1212:6
    #5 0x754268 in duk_js_getvar_activation /home/user/fuzz/duktape/duk_js_var.c:1260:9
    #6 0x9dec65 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:4597:11
    #7 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #8 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #9 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #10 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #11 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #12 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #13 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #14 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #15 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #16 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #17 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #18 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #19 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #20 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #21 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #22 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #23 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #24 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #25 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #26 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #27 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #28 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #29 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #30 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #31 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #32 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #33 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #34 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #35 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #36 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #37 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #38 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #39 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #40 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #41 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #42 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #43 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #44 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #45 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #46 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #47 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #48 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #49 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #50 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #51 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #52 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #53 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #54 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #55 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #56 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #57 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #58 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #59 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #60 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #61 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #62 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #63 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #64 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #65 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #66 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #67 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #68 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #69 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #70 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #71 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #72 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #73 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #74 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #75 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #76 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #77 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #78 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #79 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #80 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #81 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #82 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #83 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #84 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #85 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #86 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #87 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #88 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #89 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #90 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #91 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #92 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #93 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #94 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #95 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #96 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #97 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #98 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #99 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #100 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #101 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #102 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #103 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #104 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #105 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #106 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #107 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #108 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #109 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #110 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #111 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #112 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #113 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #114 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #115 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #116 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #117 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #118 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #119 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #120 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #121 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #122 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #123 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #124 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #125 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #126 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #127 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #128 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #129 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #130 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #131 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #132 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #133 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #134 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #135 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #136 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #137 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #138 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #139 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #140 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #141 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #142 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #143 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #144 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #145 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #146 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #147 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #148 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #149 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #150 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #151 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #152 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #153 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #154 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #155 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #156 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #157 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #158 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #159 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #160 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #161 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #162 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #163 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #164 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #165 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #166 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #167 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #168 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #169 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #170 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #171 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #172 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #173 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #174 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #175 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #176 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #177 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #178 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #179 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #180 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #181 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #182 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #183 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #184 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #185 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #186 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #187 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #188 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #189 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #190 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #191 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #192 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #193 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #194 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #195 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #196 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #197 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #198 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #199 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #200 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #201 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #202 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #203 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #204 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #205 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #206 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #207 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #208 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #209 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #210 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #211 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #212 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #213 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #214 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #215 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #216 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #217 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #218 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #219 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #220 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #221 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #222 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #223 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #224 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #225 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #226 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #227 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #228 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #229 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #230 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #231 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #232 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #233 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #234 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #235 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #236 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #237 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #238 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #239 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #240 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #241 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #242 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #243 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #244 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #245 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #246 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #247 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #248 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #249 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #250 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #251 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #252 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #253 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #254 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #255 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #256 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #257 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #258 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #259 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #260 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #261 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #262 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #263 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #264 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #265 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2
    #266 0x4f7409 in duk_js_tonumber /home/user/fuzz/duktape/duk_js_ops.c:222:3
    #267 0x4f5de6 in duk_to_number /home/user/fuzz/duktape/duk_api_stack.c:2995:6
    #268 0x4f014f in duk_to_number_m1 /home/user/fuzz/duktape/duk_api_stack.c:3005:9
    #269 0x91fad1 in duk__vm_arith_binary_op /home/user/fuzz/duktape/duk_js_executor.c:308:8
    #270 0x91fad1 in duk__js_execute_bytecode_inner /home/user/fuzz/duktape/duk_js_executor.c:3901:4
    #271 0x873d70 in duk_js_execute_bytecode /home/user/fuzz/duktape/duk_js_executor.c:3009:4
    #272 0x8576e4 in duk__handle_call_raw /home/user/fuzz/duktape/duk_js_call.c:2121:3
    #273 0x441ec2 in duk_handle_call_unprotected /home/user/fuzz/duktape/duk_js_call.c:2293:9
    #274 0x4422cd in duk_call_method /home/user/fuzz/duktape/duk_api_call.c:152:2
    #275 0xa6a5ef in duk__prop_get_own_proxy_tail /home/user/fuzz/duktape/duk_prop_get.c:438:2
    #276 0xa574fb in duk__get_own_prop_strkey_proxy_actual /home/user/fuzz/duktape/duk_prop_get.c:465:10
    #277 0xa585ee in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1332:12
    #278 0xa585ee in duk__prop_get_strkey_safe /home/user/fuzz/duktape/duk_prop_get.c:1402:9
    #279 0xa6cd62 in duk__prop_get_stroridx_helper /home/user/fuzz/duktape/duk_prop_get.c:1385:10
    #280 0xa6cd62 in duk__prop_get_strkey_unsafe /home/user/fuzz/duktape/duk_prop_get.c:1396:9
    #281 0xa6ad4f in duk__prop_get_str /home/user/fuzz/duktape/duk_prop_get.c:1411:9
    #282 0xa4fb7b in duk__prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1624:9
    #283 0x4a40b3 in duk_prop_getvalue_strkey_outidx /home/user/fuzz/duktape/duk_prop_get.c:1654:8
    #284 0x4c8b7c in duk_get_prop_stridx /home/user/fuzz/duktape/duk_api_object.c:116:9
    #285 0x6ec303 in duk_get_method_stridx /home/user/fuzz/duktape/duk_api_object.c:969:9
    #286 0x4f28c4 in duk__to_primitive_helper /home/user/fuzz/duktape/duk_api_stack.c:2875:22
    #287 0x4f22b8 in duk_to_primitive /home/user/fuzz/duktape/duk_api_stack.c:2938:2

SUMMARY: UndefinedBehaviorSanitizer: stack-overflow /home/user/fuzz/duktape/duk_hobject_props.c:272 in duk__hobject_get_entry_object_stridx
==273474==ABORTING
```​
​
# Reproduce​
```​
./duk pocfile​
```​
 ​
# POC File​
```​
​function f1(a2, a3, a4) {
    Math[6] /= a4;
    ("J7dDS3Kcx").replace("J7dDS3Kcx", a2);
    return f1;
}
var v7 = f1();
var o8 = {
    "get": v7,
};
var v10 = new Proxy(Math, o8);
v7(v10);
// CRASH INFO
// ==========
// TERMSIG: 11
// STDERR:
// 
// STDOUT:
// 
// ARGS: /home/user/fuzz/duktape/build/duk-fuzzilli --reprl
// EXECUTION TIME: 80ms

```​
​
# Credit​
```​
Gandalf4a​
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gandalf4a