[Webkit-unassigned] [Bug 167239] New: [SEGFAULT] Out of bounds write in llint_entry ()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jan 20 05:59:00 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=167239

            Bug ID: 167239
           Summary: [SEGFAULT] Out of bounds write in llint_entry ()
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fumfi.255 at gmail.com

Created attachment 299345
  --> https://bugs.webkit.org/attachment.cgi?id=299345&action=review
POC to heap out of bounds write (jsc)

Affected SVN revision: 210958

To reproduce the problem:
./jsc jsc_oobw_llint_entry.js

GDB Backtrace:

#0  0x00007ffff767a830 in llint_entry ()
   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1
#1  0x00007ffff767fe91 in llint_entry ()
   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1
#2  0x00007ffff767945f in vmEntryToJavaScript ()
   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1
#3  0x00007ffff7603aae in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) ()
   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1
#4  0x00007ffff75d512f in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) ()
   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1
#5  0x00007ffff77cfd5a in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) () from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1
#6  0x000000000040de87 in runJSC(JSC::VM*, CommandLine) ()
#7  0x000000000040c997 in jscmain(int, char**) ()
#8  0x000000000040c867 in main ()
#9  0x00007ffff3bdd830 in __libc_start_main (main=0x40c850 <main>, argc=0x2, argv=0x7fffffffdcd8, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdcc8)
    at ../csu/libc-start.c:291
#10 0x000000000040ad79 in _start ()

Regards,
Kamil Frankowicz

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170120/6a01e33e/attachment.html>

More information about the webkit-unassigned mailing list