<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - [SEGFAULT] Out of bounds write in llint_entry ()"

   href="https://bugs.webkit.org/show_bug.cgi?id=167239">167239</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>[SEGFAULT] Out of bounds write in llint_entry ()

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>PC

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore JavaScript

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>fumfi.255&#64;gmail.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Created <span class=""><a href="attachment.cgi?id=299345" name="attach_299345" title="POC to heap out of bounds write (jsc)">attachment 299345</a> <a href="attachment.cgi?id=299345&amp;action=edit" title="POC to heap out of bounds write (jsc)">[details]</a></span>

POC to heap out of bounds write (jsc)

Affected SVN revision: 210958

To reproduce the problem:

./jsc jsc_oobw_llint_entry.js

GDB Backtrace:

#0  0x00007ffff767a830 in llint_entry ()

   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1

#1  0x00007ffff767fe91 in llint_entry ()

   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1

#2  0x00007ffff767945f in vmEntryToJavaScript ()

   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1

#3  0x00007ffff7603aae in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) ()

   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1

#4  0x00007ffff75d512f in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) ()

   from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1

#5  0x00007ffff77cfd5a in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&amp;, JSC::JSValue, WTF::NakedPtr&lt;JSC::Exception&gt;&amp;) () from XYZ/WebKitBuild/Release/lib/libJavaScriptCore.so.1

#6  0x000000000040de87 in runJSC(JSC::VM*, CommandLine) ()

#7  0x000000000040c997 in jscmain(int, char**) ()

#8  0x000000000040c867 in main ()

#9  0x00007ffff3bdd830 in __libc_start_main (main=0x40c850 &lt;main&gt;, argc=0x2, argv=0x7fffffffdcd8, 

    init=&lt;optimized out&gt;, fini=&lt;optimized out&gt;, rtld_fini=&lt;optimized out&gt;, stack_end=0x7fffffffdcc8)

    at ../csu/libc-start.c:291

#10 0x000000000040ad79 in _start ()

Regards,

Kamil Frankowicz</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>