[Webkit-unassigned] [Bug 212460] New: fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) in jsc.cpp
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 28 05:01:15 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=212460
Bug ID: 212460
Summary: fillBufferWithContentsOfFile<WTF::Vector<char> >
(buffer=..., file=0x5555556341f0) in jsc.cpp
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: v.owl337 at gmail.com
Created attachment 400443
--> https://bugs.webkit.org/attachment.cgi?id=400443&action=review
poc.js
Description of problem:
The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948
How reproducible:
./jsc poc.js
(gdb) bt
#0 __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff2465801 in __GI_abort () at abort.c:79
#2 0x00005555555d5f61 in WTF::VectorBufferBase<char, WTF::FastMalloc>::allocateBuffer (newCapacity=<optimized out>, this=0x7fffffb1dc70)
at DerivedSources/ForwardingHeaders/wtf/Vector.h:289
#3 WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity (newCapacity=<optimized out>, this=0x7fffffb1dc70)
at DerivedSources/ForwardingHeaders/wtf/Vector.h:1190
#4 WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity (this=0x7fffffb1dc70,
newMinCapacity=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1048
#5 0x000055555557f8eb in WTF::Vector<char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::resize (size=9223372036854775807,
this=0x7fffffb1dc70) at DerivedSources/ForwardingHeaders/wtf/Vector.h:1099
#6 fillBufferWithContentsOfFile<WTF::Vector<char> > (buffer=..., file=0x5555556341f0) at ../../Source/JavaScriptCore/jsc.cpp:948
#7 fillBufferWithContentsOfFile (fileName=..., buffer=...) at ../../Source/JavaScriptCore/jsc.cpp:961
#8 0x00005555555fc785 in fetchScriptFromLocalFileSystem (buffer=..., fileName=...) at ../../Source/JavaScriptCore/jsc.cpp:969
#9 functionRun (globalObject=0x7fffaedfab68, callFrame=0x7fffffb1dd00) at ../../Source/JavaScriptCore/jsc.cpp:1473
The vulnerability was triggered in function fillBufferWithContentsOfFile() at ../../Source/JavaScriptCore/jsc.cpp:948
937 static bool fillBufferWithContentsOfFile(FILE* file, Vector& buffer)
938 {
939 // We might have injected "use strict"; at the top.
940 size_t initialSize = buffer.size();
941 if (fseek(file, 0, SEEK_END) == -1)
942 return false;
943 long bufferCapacity = ftell(file);
944 if (bufferCapacity == -1)
945 return false;
946 if (fseek(file, 0, SEEK_SET) == -1)
947 return false;
948 buffer.resize(bufferCapacity + initialSize);
949 size_t readSize = fread(buffer.data() + initialSize, 1, buffer.size(), file);
950 return readSize == buffer.size() - initialSize;
951 }
Additional info:
This vulnerability is detected by chong from OWL337
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200528/83ab2bbb/attachment-0001.htm>
More information about the webkit-unassigned
mailing list