Headline
CVE-2021-46506: Assertion `v->d.lval != v' failed at src/jsiValue.c:181: ValueFree. · Issue #52 · pcmacdon/jsish
There is an Assertion ‘v->d.lval != v’ failed at src/jsiValue.c in Jsish v3.5.0.
Jsish revision
Commit: 9fa798e
Version: v3.5.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
export CFLAGS=’-fsanitize=address’ make
Test case
function applyTags(text, open, close, action) { var openTags = arguments; var lastOcr = text.indexOf(open), nextOpen, nextClose, iniBlock, updBlock; if (openTags.pop()) { openTags.push(lastOcr); } while (openTags.length > 0) { lastOcr = action; nextOpen = text.indexOf(open, lastOcr + open.length); nextClose = text.indexOf(close, lastOcr + open.length); } return text; } function JSEtest(text) { return text.toUpperCase(); }
var text = '<lowcase> YEAH! </lowcase> Some <upcase> random <upcase> text </upcase> to </up$ text = applyTags(text, '<upcase>’, '</upcase>’, JSEtest);
Execution steps & Output
$ ./jsish/jsish poc.js
/home/user/poc.js:9: bug: Convert a unknown type: 0x6 to number (at or near “length”) /home/user/poc.js:10: bug: Convert a unknown type: 0x6 to number (at or near “length”)
jsish: src/jsiValue.c:181: ValueFree: Assertion `v->d.lval != v’ failed. [2] 116137 abort jsish poc.js
Credits: Found by OWL337 team.