Headline
CVE-2021-44993: Assertion 'ecma_is_value_boolean (base_value)' failed in ecma_op_get_value_object_base (ecma-get-put-value). · Issue #4876 · jerryscript-project/jerryscript
There is an Assertion '’ecma_is_value_boolean (base_value)‘’ failed at /jerry-core/ecma/operations/ecma-get-put-value.c in Jerryscript 3.0.0.
JerryScript revision
Commit: 51da1551
Version: v3.0.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20
Test case
function JSEtest(f, n = 1000) { for (let i = 0; i < n; i++) { f(); } }
JSEtest(function () { class M { constructor() { this._x = 45; }
get foo() {
return this.\_x;
}
}
class N extends M { constructor(x = () => super.foo) { super(); x() === 45; }
x(x \= () \=> super.foo) {
return x();
}
}
new N().x() === 45; });
Execution steps & Output
version 3.0.0
$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'ecma_is_value_boolean (base_value)' failed at /root/jerryscript/jerry-core/ecma/operations/ecma-get-put-value.c(ecma_op_get_value_object_base):205. Error: ERR_FAILED_INTERNAL_ASSERTION
Credits: Found by OWL337 team.