gfwilliams / tiny-js Goto Github PK

Automatically exported from code.google.com/p/tiny-js

License: MIT License

Makefile 0.34% C++ 88.78% JavaScript 9.87% CMake 1.01%

tiny-js's Introduction

tiny-js

This project aims to be an extremely simple (~2000 line) JavaScript interpreter, meant for inclusion in applications that require a simple, familiar script language that can be included with no dependencies other than normal C++ libraries. It currently consists of two source files: one containing the interpreter, another containing built-in functions such as String.substring.

TinyJS is not designed to be fast or full-featured. However it is great for scripting simple behaviour, or loading & saving settings.

I make absolutely no guarantees that this is compliant to JavaScript/EcmaScript standard. In fact I am sure it isn't. However I welcome suggestions for changes that will bring it closer to compliance without overly complicating the code, or useful test cases to add to the test suite.

Currently TinyJS supports:

Variables, Arrays, Structures
JSON parsing and output
Functions
Calling C/C++ code from JavaScript
Objects with Inheritance (not fully implemented)

Please see CodeExamples for examples of code that works...

For a list of known issues, please see the comments at the top of the TinyJS.cpp file, as well as the GitHub issues

There is also the 42tiny-js branch - this is maintained by Armin and provides a more full-featured JavaScript implementation than GitHub master.

TinyJS is released under an MIT licence.

Internal Structure

TinyJS uses a Recursive Descent Parser, so there is no 'Parser Generator' required. It does not compile to an intermediate code, and instead executes directly from source code. This makes it quite fast for code that is executed infrequently, and slow for loops.

Variables, Arrays and Objects are stored in a simple linked list tree structure (42tiny-js uses a C++ Map). This is simple, but relatively slow for large structures or arrays.

JavaScript for Microcontrollers

If you're after JavaScript for Microcontrollers, take a look at the Espruino JavaScript Interpreter - it is a complete re-write of TinyJS targeted at processors with extremely low RAM (8kb or more). It is currently available for a range of STM32 ARM Microcontrollers, including two boards that have it pre-installed.

tiny-js's People

Contributors

Stargazers

Watchers

Forkers

snoozbuster mzsk lpsantil xsyp xiaojunhust slideclick lgtmcu kyn100 robertomalatesta haosu1987 marcelkottmann clcarwin alfhub tempbottle aso funnytest duydb2 gicho gomani spider8 jessecc guillermohernan emaxerrno computerstudyboard tonnyyu zy498420 xeecos 177ysk unforeseenocean waltster ajinkyakulkarni qile222 iamrekas nsawa ruizpauker zy1620454507 ezio3593 s4mux anomous tongzx jakar 0xsunsama lonelysilen warjiang longhronshen jerrychan999 archivist062 898anil mrclan ytljc2003 fucora cavearr pombredanne moneytech linecode erhanbaris jmysu pyabi krovatkin homebots joeqread acoye 0dgs sst3lla yhyan ultrasonic59 mviruch wordstart robinrowe ezhangle nasingfaund maxcharlington marvi3 doctor-rd chennbnbnb meowboy326 jaredpmclaughlin nisanio

tiny-js's Issues

i have made a small wrapper with hours

when add callback function,just like this:

class cboy
{
public:
    int add_age(int n) 
    {
        m_age += n;
        return m_age; 
    }

    void set_name(string name) 
    {
    }

    string do_some_thing(int n, double d, string str)
    {
        return "ok";
    }
private:
    int m_age;
};

static double mySqr(double d)
{ 
    return d*d;
}


static string myStringConcat(string strL, string strR) 
{
    return strL+strR;
}

static double myDoSomeThing(int n, double d, string str1, string str2)
{
    return n+d;
}

void test(CString str1)
{
    CTinyJS_Wrapper s;

    cboy boy;
    s.addExFun( MakeFunObj<int, Seq<int>>("add_boy_age", &boy, &cboy::add_age) );
    s.addExFun( MakeFunObj<void, Seq<string>>("set_boy_name", &boy, &cboy::set_name) );
    s.addExFun( MakeFunObj<string, Seq<int,double,string>>("boy_do_some_thing", &boy, &cboy::do_some_thing) );

    s.addExFun( MakeFunObj<double, Seq<double>>("sqr", &mySqr) );
    s.addExFun( MakeFunObj<string, Seq<string, string>>("strcon", &myStringConcat) );
    s.addExFun( MakeFunObj<double, Seq<int, double, string, string>>("do_some_thing", &myDoSomeThing) );

...
}


my email:[email protected]
sorry for poor english

Original issue reported on code.google.com by [email protected] on 22 Mar 2013 at 11:37

Attachments:

tiny_js_wrapper.h

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1jhNSWmb-SeA6K4xDWQCEhaJFts7E3iOa

vulnerability description:

CTinyJS :: expression has a problem. On the TinyJS.cpp + 1754 line, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when a temporary assignment variable a is generated, it is not verified whether a is empty, and then a-> var refers to a, which causes the vulnerability.

PoC construction

During the variable declaration, write 0.

integer arithmetic

TinyJS seems to treat integers differently from other numbers?

enno@erdbaer:~/src/tiny-js@master$ ./Script
> Interactive mode... Type quit(); to exit, or print(...); to print something, or dump() to dump the symbol table!
print(5/2);
> 2
print(5.0/2);
> 2.500000
print(123 === 123.0);
> 0

This doesn't match the behavior of other Javascript implementations, or indeed the wording at https://www.w3schools.com/js/js_numbers.asp:

Unlike many other programming languages, JavaScript does not define different types of numbers, like integers, short, long, floating-point etc.
JavaScript numbers are always stored as double precision floating point numbers, following the international IEEE 754 standard.

And the standard explicitly says:

ECMAScript does not perform integer division. The operands and result of all division operations are double-precision floating-point numbers.

Is this intentional? Is there a way to make TinyJS behave like the standard? Perhaps a compile-time option could be added?

Polymorphism/Variable # of arguments

Is there a way to do this in tiny-js?  The way javascript usually handles 
polymorphism is with variable argument counts.  The following seems to fail in 
tiny-js.

function test(a,b)
{
    alert(a);
}

test("hello there!");

alert() is my own function, and it works in browser's javascript.

I'm guessing it wouldn't be hard to implement in this function by padding 
non-existent arguments with nulls:

CScriptVarLink *CTinyJS::functionCall(bool &execute, CScriptVarLink *function, 
CScriptVar *parent) {
  if (execute) {

Am I wrong?  I have slightly out of date code.  If it was added recently I 
would have missed it.  I can hack in an implementation if it's something that 
is desired.

Thanks.

Original issue reported on code.google.com by [email protected] on 16 Feb 2012 at 5:55

Array.push - not defined?

Array push function seems undefined.
A simple script like this :

out = new Array();
out.push();

gives the following error:

ReferenceError: push is undefined at Line:2 Column:9

the c++ code I use for this is the following(from the samples):
void test()
{
    CTinyJS *js = new CTinyJS();

    try {
        js->execute(GetCode());
    } catch (CScriptException *e) {
        printf("%s\n", e->toString().c_str());
    }
}

I am using 42tiny-js.
compiler : Visual Studio 2012
OS: Windows 7 (64 bit)

I am trying this library for the first time. Am I  missing something simple.

Regards

Original issue reported on code.google.com by [email protected] on 11 Apr 2013 at 11:53

heap-use-after-free

Enviroment

operating system: ubuntu18.04
compile:  
Use Google's ASAN(https://github.com/google/sanitizers) for vulnerability detection. Specifically in Makefile, `add -fsanitize=address` to CFLAGS
make
test command: ./run_tests  poc

poc:

{ 
  "String" : { 
    "indexOf" : function (search) ,
    "substring" : function (lo,hi) ,
    "charAt" : function (pos) ,
    "charCodeAt" : function (pos) ,
    "fromCharCode" : function (char) ,
    "split" : function (separator) 
  },
  "Array" : { 
    "contains" : function (obj) ,
    "remove" : function (obj) ,
    "join" : function (separator) 
  },
  "Object" : { 
    "dump" : function () ,
    "clone" : function () 
  },
  "exec" : function (jsCode) ,
  "eval" : function (jsCode) ,
  "trace" : function () ,
  "Math" : { 
    "rand" : function () ,
    "randInt" : function (min,max) ,
    "abs" : function (a) ,
    "round" : function (a) ,
    "min" : function (a,b) ,
    "max" : function (a,b) ,
    "range" : function (x,a,b) ,
    "sign" : function (a) ,
    "PI" : function () ,
    "toDegrees" : function (a) ,
    "toRadians" : function (a) ,
    "sin" : function (a) ,
    "asin" : function (a) ,
    "cos" : function (a) ,
    "acos" : function (a) ,
    "tan" : function (a) ,
    "atan" : function (a) ,
    "sinh" : function (a) ,
    "asinh" : function (a) ,
    "cosh" : function (a) ,
    "acosh" : function (a) ,
    "tanh" : function (a) ,
    "atanh" : function (a) ,
    "E" : function () ,
    "log" : function (a) ,
    "log10" : function (a) ,
    "exp" : function (a) ,
    "pow" : function (a,b) ,
    "sqr" : function (a) ,
    "sqrt" : function (a) 
  },
  "charToInt" : function (ch) ,
  "Integer" : { 
    "parseInt" : function (str) ,
    "valueOf" : function (str) 
  },
  "JSON" : { 
    "stringify" : function (obj,replacer) 
  },
  "result" : 0,
  "configPATH" : undefined
}

vulnerability description:

It is a use-after-free vulnerability, below is the asan output：

==20367==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000c538 at pc 0x000000441587 bp 0x7fff229a1790 sp 0x7fff229a1780
READ of size 1 at 0x60600000c538 thread T0
#0 0x441586 in CTinyJS::logic(bool&) /home/node/tiny-js/TinyJS.cpp:1853
#1 0x441dfa in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1859
#2 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#3 0x442c52 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1902
#4 0x442634 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876
#5 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#6 0x446011 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1986
#7 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#8 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#9 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#10 0x7fa9198ef82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)

0x60600000c538 is located 56 bytes inside of 64-byte region [0x60600000c500,0x60600000c540)
freed by thread T0 here:
#0 0x7fa91a5d3b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864

previously allocated by thread T0 here:
#0 0x7fa91a5d3532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568

SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1853 CTinyJS::logic(bool&)
Shadow bytes around the buggy address:
0x0c0c7fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9860: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9870: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff9880: 00 00 00 05 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9890: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c7fff98a0: fd fd fd fd fd fd fd[fd]fa fa fa fa fd fd fd fd
0x0c0c7fff98b0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff98c0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff98d0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff98e0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff98f0: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20367==ABORTING

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1rn2gi6JArZARCNQIL2EARMLy06a0-i8V

vulnerability description:

It is a Null pointer dereference. Here is where it crashed, you can see the value of rax is 0:

But the crash point has a reference to rax：

Variable attribute defines conflict with function.

What steps will reproduce the problem?
1. function a (){};
2. b = {};
3. b.a = {};
4. a();

What is the expected output? What do you see instead?
Function "a" should be called. But the error message "Error Expecting 'a' 
to be a function at (line: 1, col: 1)" received.

What version of the product are you using? On what operating system?
Version 1.6 is used on Cent OS 5.4


Please provide any additional information below.
When using dump() to show symbols, found the function "a" is reassigned to 
"{}" by "b.a = {};" call.

Original issue reported on code.google.com by [email protected] on 23 Apr 2010 at 7:13

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1WRlgq9EXl6Z6aMwZZVt0CmKLxt0IKwOL

It is a problem with CTinyJS :: functionCall. On line TinyJS.cpp + 1467, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when the temporary assignment variable value is generated, it is not verified whether the value is empty, and then the value is referenced by value-> var, which causes the vulnerability.

PoC construction

During the variable declaration, write 0.

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1pgFKnPb7wJKqKTCfBKp7S6swKPvwBU2L

vulnerability description:

First observe the stack traceback, as shown in the figure:

There is a problem with CTinyJS :: factor. In the TinyJS.cpp: 1642 line, a 0 pointer reference is sent, as shown in the figure:

The reason for the vulnerability is that when a temporary assignment variable a is generated, it is not verified whether a is empty, and then a-> var refers to a, which causes the vulnerability.

There is a '\ x00' character after the "x:" here, during the parsing process, tiny-js thinks that "x:" is empty, so the base parsing function returns 0, but "a-> var" does not have before the reference Check it, and the vulnerability is generated

how to call js file inside another js file?

is there any way to call one js file from inside another js file and execute 
the whole script?

thank you.

Original issue reported on code.google.com by [email protected] on 24 Dec 2012 at 9:52

How to use defined class on 42TinyJS?

For example:
function Person(name) {
  this.name = name;
  this.kill = function() { this.name += " is dead"; };
}

var a = new Person("Kenny");
a.kill();

Why can't 42TinyJS support this usage?
And how can I do?

Original issue reported on code.google.com by [email protected] on 31 Dec 2011 at 3:55

42tiny-js goes back to http://code.google.com/p/42tiny-js/

42tiny-js is currently strong under construction.
For a better overview i decided to go back to my own repository under 
http://code.google.com/p/42tiny-js/.

*But milestones i will commit here too* 

ardi

Original issue reported on code.google.com by [email protected] on 10 Jan 2012 at 12:26

i have made a small wrapper with hours

when add callback function,just like this:

class cboy
{
public:
    int add_age(int n) 
    {
        m_age += n;
        return m_age; 
    }

    void set_name(string name) 
    {
    }

    string do_some_thing(int n, double d, string str)
    {
        return "ok";
    }
private:
    int m_age;
};

static double mySqr(double d)
{ 
    return d*d;
}


static string myStringConcat(string strL, string strR) 
{
    return strL+strR;
}

static double myDoSomeThing(int n, double d, string str1, string str2)
{
    return n+d;
}

void test(CString str1)
{
    CTinyJS_Wrapper s;

    cboy boy;
    s.addExFun( MakeFunObj<int, Seq<int>>("add_boy_age", &boy, &cboy::add_age) );
    s.addExFun( MakeFunObj<void, Seq<string>>("set_boy_name", &boy, &cboy::set_name) );
    s.addExFun( MakeFunObj<string, Seq<int,double,string>>("boy_do_some_thing", &boy, &cboy::do_some_thing) );

    s.addExFun( MakeFunObj<double, Seq<double>>("sqr", &mySqr) );
    s.addExFun( MakeFunObj<string, Seq<string, string>>("strcon", &myStringConcat) );
    s.addExFun( MakeFunObj<double, Seq<int, double, string, string>>("do_some_thing", &myDoSomeThing) );

...
}


my email:[email protected]
sorry for poor english

Original issue reported on code.google.com by [email protected] on 22 Mar 2013 at 11:36

Python version of tiny-js

Two months ago, I use Python2.7 rewrite the interpreter just for fun.
https://github.com/atupal/tinyjs.py
I have a plan to translate it to Python bytecode or use PyPy toolchains.
:D.

This is a awesome project, thanks.

Original issue reported on code.google.com by [email protected] on 13 Feb 2015 at 3:16

heap-use-after-free

Enviroment

operating system: ubuntu18.04
compile:  
Use Google's ASAN(https://github.com/google/sanitizers) for vulnerability detection. Specifically in Makefile, `add -fsanitize=address` to CFLAGS
make
test command: ./run_tests  poc

poc:

{ 
  "String" : { 
    "indexOf" : function (search) ,
    "substring" : function (lo,hi) ,
    "charAt" : function (pos) ,
    "charCodeAt" : function (pos) ,
    "fromCharCode" : function (char) ,
    "split" : function (separator) 
  },
  "Array" : { 
    "contains" : function (obj) ,
    "remove" : function (obj) ,
    "join" : function (separator) 
  },
  "Object" : { 
    "dump" : function () ,
    "clone" : function () 
  },
  "exec" : function (jsCode) ,
  "eval" : function (jsCode) ,
  "trace" : function () ,
  "Math" : { 
    "rand" : function () ,
    "randInt" : function (min,max) ,
    "abs" : function (a) ,
    "round" : function (a) ,
    "min" : function (a,b) ,
    "max" : function (a,b) ,
    "range" : function (x,a,b) ,
    "sign" : function (a) ,
    "PI" : function () ,
    "toDegrees" : function (a) ,
    "toRadians" : function (a) ,
    "sin" : function (a) ,
    "asin" : function (a) ,
    "cos" : function (a) ,
    "acos" : function (a) ,
    "tan" : function (a) ,
    "atan" : function (a) ,
    "sinh" : function (a) ,
    "asinh" : function (a) ,
    "cosh" : function (a) ,
    "acosh" : function (a) ,
    "tanh" : function (a) ,
    "atanh" : function (a) ,
    "E" : function () ,
    "log" : function (a) ,
    "log10" : function (a) ,
    "exp" : function (a) ,
    "pow" : function (a,b) ,
    "sqr" : function (a) ,
    "sqrt" : function (a) 
  },
  "charToInt" : function (ch) ,
  "Integer" : { 
    "parseInt" : function (str) ,
    "valueOf" : function (str) 
  },
  "JSON" : { 
    "stringify" : function (obj,replacer) 
  },
  "result" : 0,
  "configPATH" : undefined
}

vulnerability description:

It is a use-after-free vulnerability, below is the asan output：

=================================================================
==20360==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600000c2f8 at pc 0x000000442829 bp 0x7ffd5e984670 sp 0x7ffd5e984660
READ of size 1 at 0x60600000c2f8 thread T0
#0 0x442828 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876
#1 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#2 0x4390f4 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1547
#3 0x43c366 in CTinyJS::unary(bool&) /home/node/tiny-js/TinyJS.cpp:1726
#4 0x43ca7a in CTinyJS::term(bool&) /home/node/tiny-js/TinyJS.cpp:1731
#5 0x43d482 in CTinyJS::expression(bool&) /home/node/tiny-js/TinyJS.cpp:1751
#6 0x43e8bc in CTinyJS::shift(bool&) /home/node/tiny-js/TinyJS.cpp:1786
#7 0x43f7fb in CTinyJS::condition(bool&) /home/node/tiny-js/TinyJS.cpp:1803
#8 0x4408ad in CTinyJS::logic(bool&) /home/node/tiny-js/TinyJS.cpp:1842
#9 0x441dfa in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1859
#10 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#11 0x442c52 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1902
#12 0x445f32 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1944
#13 0x44c544 in CTinyJS::block(bool&) /home/node/tiny-js/TinyJS.cpp:1923
#14 0x446ad6 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1948
#15 0x44629f in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1994
#16 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#17 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#18 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#19 0x7f958a38482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#20 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)

0x60600000c2f8 is located 56 bytes inside of 64-byte region [0x60600000c2c0,0x60600000c300)
freed by thread T0 here:
#0 0x7f958b068b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864

previously allocated by thread T0 here:
#0 0x7f958b068532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568

SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1876 CTinyJS::ternary(bool&)

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1meBXekOMSdT8jc_kxuSoqlB2oL3jLqIj
# vulnerability description:
It is a Null pointer dereference. Here is where it crashed, you can see the value of rax is 0:

But the crash point has a reference to rax：

Division Exception

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1pQIgme3iIyP2Z115HOoDSFD8dm5YneyY

vulnerability description:

There is a problem with CScriptVar :: mathsOp. On the TinyJS.cpp + 1060 line, a floating point arithmetic error is triggered, as shown in the figure:

The reason for the vulnerability is that during the calculation of the remainder operation, the division is actually calculated, but if the dividend is 0, the division floating point number is wrong.

PoC construction

In the process of declaring variables, 0 is used as the remainder.

false is actually 0.

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1SQYrTreCmgZdXTbM6dAvZfMQSG3WYnRV

vulnerability description:

It is a problem with CTinyJS :: expression. On the TinyJS.cpp + 1776 line, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when a temporary assignment variable a is generated, it is not verified whether a is empty, and then a-> var refers to a, which causes the vulnerability.

PoC construction

During the variable declaration, write 0.

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./run_tests poc

poc:

https://drive.google.com/open?id=1LDDlXy5TT1GcVikKCdYtbCjBKtBGGhJ_

vulnerability description:

It is a problem with CTinyJS :: factor. On the TinyJS.cpp + 1663 line, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when a temporary assignment variable a is generated, it is not verified whether a is empty, and then a-> var refers to a, which causes the vulnerability.

poc construction

In the process of declaring a variable, a null pointer can be caused by adding a null character.

That is, an empty character is added after an element of the array.

42tiny-js: For issues related to "42tiny-js" please use the tracker on http://code.google.com/p/42tiny-js/issues/

For issues related to "42tiny-js" please use the tracker on 
http://code.google.com/p/42tiny-js/issues/

Original issue reported on code.google.com by [email protected] on 1 Jan 2012 at 11:58

heap-use-after-free

Enviroment

operating system: ubuntu18.04
compile:  
Use Google's ASAN(https://github.com/google/sanitizers) for vulnerability detection. Specifically in Makefile, `add -fsanitize=address` to CFLAGS
make
test command: ./run_tests  poc

poc:

function ReadCookie(cookieName) {
        return '';
    var ind1 = theCookie.indexOf(';', ind);
    if (ind1 == -1)
        ind1 = theCookie.length;
    return unescape(theCookie.substring(ind + cookieName.length + 1, ind1));
}
function ReadZagi(zagiName) {
    var zagi = ReadCookie('zagi');
    var ind = zagi.indexOf(zagiName);
    if (ind == -1 || zagiName == '')
        return '';
    var ind1 = zagi.indexOf('&', ind);
    if (ind1 == -1)
        ind1 = zagi.length - 1;
    return zagi.substring(ind + zagiName.length + 1, ind1);
}
var zip = ReadZagi('zip_code');
var city = ReadZagi('city');
var state = ReadZagi('state');
var gender = Re?dZagi('gender') == 'M' ? 'm' : ReadZagi('gender') == 'F' ? 'f' : '';
var subscribes = String(parseInt(ReadZagi('subscri'18-20';
    } else if (years_old < 25) {
        return '21-24';
    } else if (years_old < 30) {
        return '25-29';
    } else if (years_old < 35) {
        return '30-34';
    } else if (years_old < 40) {
        return '35-39';
    } else if (years_old < 45) {
        return '40-44';
    } else if (years_old < 50) {
        return '45-49';
    } else if (years_old < 55) {
        return '50-54';
    } else if (years_old < 60) {
        return '55-59';
    } else if (years_old < 65) {
        return '60-64';
    }
    return '65plus';
}
var age_range = AgeToRange(ReadZagi('age'));
function IncToRange(inc) {
    var idx = 0;
    var numstr = '';
    for (idx = 0; idx < inc.length && inc[idx] != '+'; idx++)
        if (!isNaN(parseInt(inc[idx])))
            numstr += inc[idx];
    inc = parseInt(numstr);
    if (isNaN(inc)) {
        return '';
    } else if (inc <= 24999) {
        return 'less25000';
    } else if (inc <= 34999) {
        return '25000-34999';
    } else if (inc <= 49999) {
        return '35000-49999';
    } else if (inc <= 74999) {
        return '50000-74999';
    } else if (inc <= 99999) {
        return '75000-99999';
    } else if (inc <= 149999) {
        return '100000-149999';
    } else if (inc <= 249999) {
        return '150000-249999';
    } else if (inc >= 250000) {
        return '250000plus';
    }
}
var inc_range = IncToRange(ReadZagi('income'));
var _ord = _ord || Math.random() * 1000000000000000000;
var _tile_params = ';ord=' + _ord;
var _demo_params = '';
if (age_range)
    _demo_params += ';age=' + age_range;
if (gender)
    _demo_params += ';gender=' + gender;
if (inc_range)
    _demo_params += ';income=' + inc_range;
if (subscribes)
    _demo_params += ';sub=' + subscribes;
var yld_mgr = {
    place_ad_here: funct

vulnerability description:

It is a use-after-free vulnerability, below is the asan output：
==19716==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000008ed8 at pc 0x00000044221a bp 0x7fffb87ca5f0 sp 0x7fffb87ca5e0
READ of size 1 at 0x606000008ed8 thread T0
#0 0x442219 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1867
#1 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#2 0x442634 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1876
#3 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#4 0x4466e4 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1974
#5 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#6 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#7 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#8 0x7f000c85082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)

0x606000008ed8 is located 56 bytes inside of 64-byte region [0x606000008ea0,0x606000008ee0)
freed by thread T0 here:
#0 0x7f000d534b2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864

previously allocated by thread T0 here:
#0 0x7f000d534532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568

SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1867 CTinyJS::ternary(bool&)
Shadow bytes around the buggy address:
0x0c0c7fff9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff91a0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff91b0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff91c0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0c7fff91d0: fa fa fa fa fd fd fd fd fd fd fd[fd]fa fa fa fa
0x0c0c7fff91e0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff91f0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9200: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9210: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
0x0c0c7fff9220: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19716==ABORTING

prototype on objects does not seem to work

What steps will reproduce the problem?
Person = function(name,age)
{
this.name = name;
this.age = age;
}

Person.prototype.id = function(){ return this.name + " " + this.age;}

mike = new Person("mike",39);

print(mike.id());


What is the expected output? What do you see instead?

should be: "mike 39"

prints out: "undefined"

What version of the product are you using? On what operating system?

TinyJS on Win7

Please provide any additional information below.

Original issue reported on code.google.com by [email protected] on 7 Nov 2014 at 12:16

Error on class definition

hi, 42Tiny JS:

why the statements below can pass on trunk, but not on your branch?

var sArr = new Array();

I can only do so.

var sArr = [];

But how can I define my own classes?

function CMyClass(){}
var sMine = new CMyClass();

Waiting for your answer, thanks.

Original issue reported on code.google.com by [email protected] on 30 Dec 2011 at 11:40

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1233VnpgxQZq0nUbKLXEOEYb5NcOPs--P

vulnerability description:

First observe the stack traceback, as shown in the figure:

It is a problem with CTinyJS :: term. On the TinyJS.cpp + 1737 line, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when the temporary assignment variable b is generated, it is not verified whether b is empty, and then b-> var refers to b, which causes the vulnerability.

Permit static linking

Hi! Thank you for great work! But it could be more useful if you permitted 
static linking to proprietary programs (for example, it's not an option to load 
many dynamic libraries on embedded system)

Original issue reported on code.google.com by [email protected] on 18 Aug 2010 at 3:20

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1dZ0KZHO0GgsxC-dj9HBP2bIYKFvG_EEM

vulnerability description:

There is a problem with CTinyJS :: statement. In the TinyJS.cpp + 2042 line, the pointer reference is wrong, as shown in the figure:

When the object link was obtained from the base function, the null pointer was not checked, which caused the null pointer reference and triggered a crash.

PoC construction

Add a null character after the expression in the js script:

In the picture, "j = 0;" is the empty character.

while(true){...} error

while(true){...} error

Original issue reported on code.google.com by [email protected] on 29 Dec 2011 at 9:10

native_RegExp error

TinyJS.cpp: In member function ‘void CTinyJS::native_RegExp(const CFunctionsScopePtr&, void*)’:
TinyJS.cpp:6256:23: erreur: ‘regex_constants’ has not been declared

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1mnLo6dzO3586JNhV1MtG-0VWEQZIOUzH

vulnerability description:

It is a problem with CTinyJS :: condition. On the TinyJS.cpp + 1813 line, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when using the shift function to obtain the value of the js expression, the obtained object value b is empty, and it is not verified whether b is empty, and then b-> var refers to b, causing the vulnerability.

PoC construction

In the process of declaring a variable, a null pointer can be caused by adding a null character.

That is, an empty character is added after an element of the array.

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1UCUT25j3YgpMgt04b1iAZgUdYmlcVvUR

vulnerability description:

There is a problem with CTinyJS :: mathsOp. In the TinyJS.cpp + 1056 line, the floating point division is wrong, as shown in the figure:

The reason for the vulnerability is that when da / db, in fact, da and db are both 0, resulting in a floating-point division error.

PoC construction

In the division of constructing js, by declaring a variable with an empty value, the division is:

It can ause floating-point division errors

Crash: calling execute() within a native function within a javascript function within execute() :P

*What steps will reproduce the problem?*
1. Add a native function "exec(s)" to a CTinyJS object, containing the 
following code:
try {
  cjs->execute( v->getParameter("s")->getString().c_str() );
} catch (CScriptException *ex) {
  v->getReturnVar()->setString( ex->text.c_str() );
}

2. Set up the concentric execution via a javascript function:
cjs->exec( "function e(s) { return exec(s); } ");

3. Test that the function ordinarily doesn't cause any problems
cjs->exec( "e(\"var f = 3\"); ");
// Doesn't cause any problems, f is a javascript integer containing the value 3

4. Test that a syntax error causes a hard crash
cjs->exec( "var f = e(\"syntaxerror\"); ");

*What is the expected output? What do you see instead?*
Expected: f is a javascript string containing some error message about 
"syntaxerror"
Result: Crash in CTinyJS::statement 

*What version of the product are you using? On what operating system?*
TinyJS trunk 0.23, Visual Studio 2010, Windows 7 (slightly old version of 
TinyJS, i can attempt to reproduce with a newer version)

*Please provide any additional information below.*
I have TinyJS hooked up to a command-line that cjs->execute()'s everything it's 
given. I have that hooked up to a chat room. I was trying to make it so that 
the bot could execute() instead of eval() commands that it was given, with all 
logic JS-side

Apologies if i've made a mistake, left something out, or if this has been fixed 
already in a newer revision..

Original issue reported on code.google.com by [email protected] on 25 Oct 2011 at 7:58

Function symbol is evaluated in bracket-less body of false if-statement

What steps will reproduce the problem?

1. Precondition: foo is undefined
2. Run this code: if (foo !== undefined) foo();
3. Gives error message: "Expecting 'foo' to be a function"
4. This works: if (foo !== undefined) { foo(); }

What is the expected output? What do you see instead?

Expected bracket-less body to work.
Works when function is defined, for example: 
if (foo !== undefined) print('Hello');
Hello is not printed, as expected.

The implementation seems to take the value of the function symbol, even when 
the condition in the if-statement is false (have not looked at this in the 
actual implementation, I'm guessing).

What version of the product are you using? On what operating system?

TinyJS r11 (Tested on the MoSync port: http://code.google.com/p/mobile-tiny-js/ 
Have not tested with the original code, but I think it behaves the same as the 
port.)

Original issue reported on code.google.com by [email protected] on 28 Jul 2010 at 7:01

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./run_tests poc

poc:

https://drive.google.com/open?id=15YVLxLCZAALuP1HqbGctFEHsDd0KaDcJ

vulnerability description:

First observe the stack traceback, as shown in the figure:

It is a problem with CTinyJS :: term. On the TinyJS.cpp: 1736 line, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when the temporary assignment variable b is generated, it is not verified whether b is empty, and then b-> var refers to b, which causes the vulnerability.

There is a '\ x00' character after the "" here, causing tiny-js to think that the "" is empty after the parsing process, so the base parsing function returns 0, and "b-> var" is not checked before the reference , Which in turn produced the vulnerability.

PoC construction

In the process of declaring a variable, a null pointer can be caused by adding a null character after "*".

That is, a null character is added after the multiplication symbol.

Compilation under GCC 6 fails

Seems like stdlibc++ headers don't include cmath which is required. A quick fix is to include cmath in TinyJS.h

Tested only on the 42 branch

42tiny-js a fork of this project

Many thanks for this nice project. I have started my own fork with many changes 
at http://code.google.com/p/42tiny-js/

Changelog:
Added boolean datatype (in string operators its shown as 'true'/'false' but in
math as '1'/'0'
Added '~' operator
Added bit-shift operators '<<' '>>'
Added assignment operators '<<=' '>>=' '|=' '&=' '^='
Addet comma operator like this 'var i=1,j,k=9;' or 'for(i=0,j=12; i<10; i++,
j++)' works
Added Conditional operator ( ? : )
Added automatic cast from doubles to integer e.G. by logic and binary operators
Added pre-increment/-decrement like '++i'/'--i' operator
Fixed post-increment/decrement now returns the previous value
Fixed throws an Error when invalid using of post/pre-increment/decrement (like
this 5++ works no more)
Fixed memoryleak (unref arrayClass at deconstructor of JS CTinyJS)
Fixed unary operator handling (like this '-~-5' works now)
Fixed operator prority order
            -> ','
            -> '=' '+=' '-=' '<<=' '>>=' '&=' '^=' '|='
            -> '? :' -> '||' -> '&&' -> '|' -> '^' -> '&'
            -> ['==' '===' '!=' '!==']
            -> [ '<' '<=' '=>' '>']
            -> ['<<' '>>'] -> [ '*' '/' '%']
            -> ['!' '~' '-' '++' '--']
Added do-while-loop ( do .... while(..); )
Added break and continue statements for loops

ardi

Original issue reported on code.google.com by [email protected] on 1 Sep 2010 at 5:49

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: make
test command: ./run_tests  poc

poc:

https://drive.google.com/open?id=1Piwkup12nmhGZ3-z_GuNneH43cHnh-7m

vulnerability description:

It is CTinyJS :: logic that has a problem. On the TinyJS.cpp + 1846 line, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when the temporary assignment variable b is generated, it is not verified whether b is empty, and then b-> var refers to b, which causes the vulnerability.

PoC construction

During the variable declaration, write 0.

heap-use-after-free

Enviroment

operating system: ubuntu18.04
compile:  
Use Google's ASAN(https://github.com/google/sanitizers) for vulnerability detection. Specifically in Makefile, `add -fsanitize=address` to CFLAGS
make
test command: ./run_tests  poc

poc:

function ReadCookie(cookieName) {
        return '';
    var ind1 = theCookie.indexOf(';', ind);
    if (ind1 == -1)
        ind1 = theCookie.length;
    return unescape(theCookie.substring(ind + cookieName.length + 1, ind1));
}
function ReadZagi(zagiName) {
    var zagi = ReadCookie('zagi');
    var ind = zagi.indexOf(zagiName);
    if (ind == -1 || zagiName == '')
        return '';
    var ind1 = zagi.indexOf('&', ind);
    if (ind1 == -1)
        ind1 = zagi.length - 1;
    return zagi.substring(ind + zagiName.length + 1, ind1);
}
var zip = ReadZagi('zip_code');
var city = ReadZagi('city');
var state = ReadZagi('state');
var gender = ReadZagi('gender') != 'M' ? 'm' : ReadZagi('gender') == 'F' ? 'f' : '';
var subscribes = String(parseInt(ReadZagi('subscri'18-20';
    } else if (years_old < 25) {
        return '21-24';
    } else if (years_old < 30) {
        return '25-29';
    } else if (years_old < 35) {
        return '30-34';
    } else if (years_old < 40) {
        return '35-39';
    } else if (years_old < 45) {
        return '40-44';
    } else if (years_old < 50) {
        return '45-49';
    } else if (years_old < 55) {
        return '50-54';
    } else if (years_old < 60) {
        return '55-59';
    } else if (years_old < 65) {
        return '60-64';
    }
    return '65plus';
}
var age_range = AgeToRange(ReadZagi('age'));
function IncToRange(inc) {
    var idx = 0;
    var numstr = '';
    for (idx = 0; idx < inc.length && inc[idx] != '+'; idx++)
        if (!isNaN(parseInt(inc[idx])))
            numstr += inc[idx];
    inc = parseInt(numstr);
    if (isNaN(inc)) {
        return '';
    } else if (inc <= 24999) {
        return 'less25000';
    } else if (inc <= 34999) {
        return '25000-34999';
    } else if (inc <= 49999) {
        return '35000-49999';
    } else if (inc <= 74999) {
        return '50000-74999';
    } else if (inc <= 99999) {
        return '75000-99999';
    } else if (inc <= 149999) {
        return '100000-149999';
    } else if (inc <= 249999) {
        return '150000-249999';
    } else if (inc >= 250000) {
        return '250000plus';
    }
}
var inc_range = IncToRange(ReadZagi('income'));
var _ord = _ord || Math.random() * 1000000000000000000;
var _tile_params = ';ord=' + _ord;
var _demo_params = '';
if (age_range)
    _demo_params += ';age=' + age_range;
if (gender)
    _demo_params += ';gender=' + gender;
if (inc_range)
    _demo_params += ';income=' + inc_range;
if (subscribes)
    _demo_params += ';sub=' + subscribes;
var yld_mgr = {
    place_ad_here: funct

vulnerability description:

It is a use-after-free vulnerability, below is the asan output：

==19950==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000007eb8 at pc 0x000000442521 bp 0x7ffc808a78b0 sp 0x7ffc808a78a0
READ of size 1 at 0x606000007eb8 thread T0
#0 0x442520 in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1874
#1 0x442934 in CTinyJS::base(bool&) /home/node/tiny-js/TinyJS.cpp:1887
#2 0x4466e4 in CTinyJS::statement(bool&) /home/node/tiny-js/TinyJS.cpp:1974
#3 0x44b23a in CTinyJS::execute(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&) /home/node/tiny-js/TinyJS.cpp:1322
#4 0x40718c in run_test(char const*) /home/node/tiny-js/run_tests.cpp:219
#5 0x4068b0 in main /home/node/tiny-js/run_tests.cpp:258
#6 0x7fc1050f782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x406b68 in _start (/home/node/tiny-js/run_tests+0x406b68)

0x606000007eb8 is located 56 bytes inside of 64-byte region [0x606000007e80,0x606000007ec0)
freed by thread T0 here:
#0 0x7fc105ddbb2a in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99b2a)
#1 0x44256e in CTinyJS::ternary(bool&) /home/node/tiny-js/TinyJS.cpp:1864

previously allocated by thread T0 here:
#0 0x7fc105ddb532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x439204 in CTinyJS::factor(bool&) /home/node/tiny-js/TinyJS.cpp:1568

SUMMARY: AddressSanitizer: heap-use-after-free /home/node/tiny-js/TinyJS.cpp:1874 CTinyJS::ternary(bool&)
Shadow bytes around the buggy address:
0x0c0c7fff8f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8fa0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff8fb0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff8fc0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c7fff8fd0: fd fd fd fd fd fd fd[fd]fa fa fa fa 00 00 00 00
0x0c0c7fff8fe0: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff8ff0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c7fff9000: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c7fff9010: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c7fff9020: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==19950==ABORTING

Null pointer dereference

Enviroment

operating system: ubuntu18.04
compile command: ./configure && make
test command: ./run_tests poc

poc:

https://drive.google.com/open?id=1S3o5dJNvjp19QdkdgZsg2YRAb6G_2Wfy

vulnerability description:

It is a problem with CTinyJS :: term. In the TinyJS.cpp: 1813 line, a null pointer reference is triggered, as shown in the figure:

The reason for the vulnerability is that when the temporary assignment variable b is generated, it is not verified whether b is empty, and then b-> var refers to b, which causes the vulnerability.

PoC construction

In the process of declaring a variable, a null pointer can be caused by adding a null character after "*".

That is, a null character is added after the multiplication symbol.

memory leak at CTinyJS::factor()

try {
  /* JSON-style object definition */
  l->match('{');
  while (l->tk != '}') {
    string id = l->tkStr;
    // we only allow strings or IDs on the left hand side of an initialisation
    if (l->tk==LEX_STR) l->match(LEX_STR);
    else l->match(LEX_ID);
    l->match(':');
    CScriptVarSmartLink a = assignment(execute);
    if (execute) {
      contents->addChild(id, a->var);
    }
    // no need to clean here, as it will definitely be used
    if (l->tk != '}') l->match(',');
  }

  l->match('}');
} catch (CScriptException *e) {
  delete contents;
  throw e;
}

Original issue reported on code.google.com by [email protected] on 27 Dec 2011 at 10:14

gfwilliams / tiny-js Goto Github PK

tiny-js's Introduction

tiny-js

Internal Structure

JavaScript for Microcontrollers

tiny-js's People

Contributors

Stargazers

Watchers

Forkers

tiny-js's Issues

Enviroment

poc:

vulnerability description:

PoC construction

Enviroment

poc:

vulnerability description:

It is a use-after-free vulnerability, below is the asan output：

Enviroment

poc:

vulnerability description:

Enviroment

poc:

PoC construction

Enviroment

poc:

vulnerability description:

Enviroment

poc:

vulnerability description:

Enviroment

poc:

Enviroment

poc:

vulnerability description:

PoC construction

Enviroment

poc:

vulnerability description:

PoC construction

Enviroment

poc:

vulnerability description:

poc construction

Enviroment

poc:

vulnerability description:

Enviroment

poc:

vulnerability description:

Enviroment

poc:

vulnerability description:

PoC construction

Enviroment

poc:

vulnerability description:

PoC construction

Enviroment

poc:

vulnerability description:

PoC construction

Enviroment

poc:

vulnerability description:

PoC construction

Enviroment

poc:

vulnerability description:

PoC construction

Enviroment

poc:

vulnerability description:

Enviroment

poc:

vulnerability description:

PoC construction

Recommend Projects

Recommend Topics