Skip to content

global-buffer-overflow jerry-core/ecma/builtin-objects/ecma-builtin-bigint.c:225 in ecma_builtin_bigint_object_as_int_n #5260

New issue
New issue
Open
Open
global-buffer-overflow jerry-core/ecma/builtin-objects/ecma-builtin-bigint.c:225 in ecma_builtin_bigint_object_as_int_n#5260
@sloth31

Description

@sloth31
sloth31
opened on Oct 11, 2025
JerryScript revision

b706935

Build platform

Ubuntu 22.04 LTS

Build steps
python3 tools/build.py --debug --lto=off --compile-flag=-fsanitize=address --compile-flag=-D_POSIX_C_SOURCE=200809 --compile-flag=-Wno-strict-prototypes
Test case
(-4294967297n).constructor.asUintN(9.764008707177638, -4294967296n);
Execution steps
build/bin/jerry crash.js
output
=================================================================
==2228073==ERROR: AddressSanitizer: global-buffer-overflow on address 0x560bbb3452c0 at pc 0x560bbb185956 bp 0x7ffd1949a710 sp 0x7ffd1949a700
READ of size 4 at 0x560bbb3452c0 thread T0
    #0 0x560bbb185955 in ecma_builtin_bigint_object_as_int_n /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-bigint.c:225
    #1 0x560bbb1863d2 in ecma_builtin_bigint_dispatch_routine /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-bigint.c:393
    #2 0x560bbb0aa7de in ecma_builtin_dispatch_routine /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #3 0x560bbb0aaa12 in ecma_builtin_dispatch_call /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #4 0x560bbb0d07b3 in ecma_op_function_call_native_built_in /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1223
    #5 0x560bbb0d15ab in ecma_op_function_call /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1468
    #6 0x560bbb0d1445 in ecma_op_function_validated_call /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1428
    #7 0x560bbb15664a in opfunc_call /data/newpart/JS_Engines/jerryscript/jerry-core/vm/vm.c:758
    #8 0x560bbb174602 in vm_execute /data/newpart/JS_Engines/jerryscript/jerry-core/vm/vm.c:5236
    #9 0x560bbb174c3b in vm_run /data/newpart/JS_Engines/jerryscript/jerry-core/vm/vm.c:5331
    #10 0x560bbb154920 in vm_run_global /data/newpart/JS_Engines/jerryscript/jerry-core/vm/vm.c:286
    #11 0x560bbb05a0e0 in jerry_run /data/newpart/JS_Engines/jerryscript/jerry-core/api/jerryscript.c:549
    #12 0x560bbb201f99 in jerryx_source_exec_script /data/newpart/JS_Engines/jerryscript/jerry-ext/util/sources.c:68
    #13 0x560bbb055627 in main /data/newpart/JS_Engines/jerryscript/jerry-main/main-desktop.c:156
    #14 0x7fa17b5efd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7fa17b5efe3f in __libc_start_main_impl ../csu/libc-start.c:392
    #16 0x560bbb054b24 in _start (/data/newpart/JS_Engines/jerryscript/build/bin/jerry+0x59b24)

0x560bbb3452c0 is located 0 bytes to the right of global variable 'jerry_global_heap' defined in '/data/newpart/JS_Engines/jerryscript/jerry-core/jcontext/jcontext.c:142:13' (0x560bbb2c52c0) of size 524288
SUMMARY: AddressSanitizer: global-buffer-overflow /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-bigint.c:225 in ecma_builtin_bigint_object_as_int_n
Shadow bytes around the buggy address:
  0x0ac1f7660a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1f7660a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1f7660a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1f7660a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1f7660a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ac1f7660a50: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
  0x0ac1f7660a60: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9
  0x0ac1f7660a70: f9 f9 f9 f9 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
  0x0ac1f7660a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1f7660a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ac1f7660aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2228073==ABORTING
Backtrace
    #0 0x5555556de955 in ecma_builtin_bigint_object_as_int_n /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-bigint.c:225
    #1 0x5555556df3d2 in ecma_builtin_bigint_dispatch_routine /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtin-bigint.c:393
    #2 0x5555556037de in ecma_builtin_dispatch_routine /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1460
    #3 0x555555603a12 in ecma_builtin_dispatch_call /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/builtin-objects/ecma-builtins.c:1489
    #4 0x5555556297b3 in ecma_op_function_call_native_built_in /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1223
    #5 0x55555562a5ab in ecma_op_function_call /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1468
    #6 0x55555562a445 in ecma_op_function_validated_call /data/newpart/JS_Engines/jerryscript/jerry-core/ecma/operations/ecma-function-object.c:1428
    #7 0x5555556af64a in opfunc_call /data/newpart/JS_Engines/jerryscript/jerry-core/vm/vm.c:758
    #8 0x5555556cd602 in vm_execute /data/newpart/JS_Engines/jerryscript/jerry-core/vm/vm.c:5236
    #9 0x5555556cdc3b in vm_run /data/newpart/JS_Engines/jerryscript/jerry-core/vm/vm.c:5331
    #10 0x5555556ad920 in vm_run_global /data/newpart/JS_Engines/jerryscript/jerry-core/vm/vm.c:286
    #11 0x5555555b30e0 in jerry_run /data/newpart/JS_Engines/jerryscript/jerry-core/api/jerryscript.c:549
    #12 0x55555575af99 in jerryx_source_exec_script /data/newpart/JS_Engines/jerryscript/jerry-ext/util/sources.c:68
    #13 0x5555555ae627 in main /data/newpart/JS_Engines/jerryscript/jerry-main/main-desktop.c:156
    #14 0x7ffff72d9d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #15 0x7ffff72d9e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #16 0x5555555adb24 in _start (/data/newpart/JS_Engines/jerryscript/build/bin/jerry+0x59b24)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions