CVE-2020-23257: IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed · Issue #1820 · espruino/Espruino

Hello,
I found that IIlegal memory access may lead to arbitrary memory write inside jsvGarbageCollectMarkUsed . When Object property name is marked ，it will be regarfed as nativeStr struct. And read content pointed by property name and marked，which will result arbitrary memory write.
Please confirm~~
poc is here:
espruino1.js.zip

test version:
commit d543731 (HEAD -> master, origin/master, origin/HEAD) (20200505)

environment

gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
run ./espruino poc
(gdb) r
Starting program: /home/zdz/Espruino/espruino /home/zdz/debugBug/espruino1.js
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff6e85700 (LWP 4410)]

| |_ ___ ___ _ ||___ ___
| | -| . | | | | | | . |
||| || |||||_|
|| espruino.com
2v05.41 © 2019 G.Williams

Espruino is Open Source. Our work is supported
only by sales of official boards and donations:
http://espruino.com/Donate

{ }

Thread 1 “espruino” received signal SIGSEGV, Segmentation fault.
jsvIsString (
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73
73 bool jsvIsString(const JsVar *v) { return v && (v->flags&JSV_VARTYPEMASK)>=_JSV_STRING_START && (v->flags&JSV_VARTYPEMASK)<=_JSV_STRING_END; } ///< String, or a NAME too
(gdb) bt
#0 jsvIsString (
v=<error reading variable: Cannot access memory at address 0x7fffff7feff0>) at src/jsvar.c:73
#1 0x0000555555565728 in jsvHasCharacterData (v=0x7ffff6644610)
at src/jsvar.c:384
#2 0x000055555556f8d2 in jsvGarbageCollectMarkUsed (var=0x7ffff6644610)
at src/jsvar.c:3715
#3 0x000055555556f97a in jsvGarbageCollectMarkUsed (var=0x7ffff6644650)
at src/jsvar.c:3730
#4 0x000055555556f9cb in jsvGarbageCollectMarkUsed (var=0x7ffff6644670)
at src/jsvar.c:3738

Dongzhuo Zhao working with ADLab of Venustech