Stack-overflow in JSONParser |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4983903323684864 Fuzzer: inferno_js_fuzzer_c Job Type: mac_asan_d8 Platform Id: mac Crash Type: Stack-overflow Crash Address: 0x7fff5a5ceeb8 Crash State: LookupIterator Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8&range=464021:464058 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4983903323684864 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 6 2017
Issue 729165 has been merged into this issue.
,
Jun 6 2017
Thanks, repros with that snippet in d8. Looking.
,
Jun 6 2017
The snippet creates a circular structure in the JS object. There's checks to fail on a similar condition in json-stringifier.cc (kCircularStructure), but apparently not here. Firefox throws an internal error in this case, we should probably do the same.
,
Jun 6 2017
And safari throws a stack overflow RangeError.
,
Jun 6 2017
Introduced by: https://codereview.chromium.org/2026563002 The old JS implementation had implicit stack overflow handling, C++ needs it to be explicit.
,
Jun 6 2017
,
Jun 7 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/84a54c5c37ed68c61983f976b2e03b0b7fe796dc commit 84a54c5c37ed68c61983f976b2e03b0b7fe796dc Author: jgruber <jgruber@chromium.org> Date: Wed Jun 07 07:47:13 2017 [json] Handle stack overflows in JSON.parse It's possible to build circular objects through the reviver function in JSON.parse. Recursion needs to check for stack overflows and throw as needed. BUG= chromium:729671 Change-Id: I52ccd9ed9fea5829810879f8dd8207043fa6d910 Reviewed-on: https://chromium-review.googlesource.com/525812 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/master@{#45752} [modify] https://crrev.com/84a54c5c37ed68c61983f976b2e03b0b7fe796dc/src/json-parser.cc [add] https://crrev.com/84a54c5c37ed68c61983f976b2e03b0b7fe796dc/test/mjsunit/regress/regress-729671.js
,
Jun 7 2017
,
Jun 8 2017
ClusterFuzz has detected this issue as fixed in range 477597:477609. Detailed report: https://clusterfuzz.com/testcase?key=4983903323684864 Fuzzer: inferno_js_fuzzer_c Job Type: mac_asan_d8 Platform Id: mac Crash Type: Stack-overflow Crash Address: 0x7fff5a5ceeb8 Crash State: LookupIterator Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_d8&range=464021:464058 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_d8&range=477597:477609 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4983903323684864 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
||||
►
Sign in to add a comment |
||||
Comment 1 by clemensh@chromium.org
, Jun 6 2017Owner: jgruber@chromium.org
Status: Assigned (was: Untriaged)
Summary: Stack-overflow in JSONParser (was: Stack-overflow in LookupIterator)
This causes endless recursion in the json parser: ============================== __v_13 = { 0: 11, 1: 9}; JSON.parse('[0,0]', function() { this[1] = __v_13; }); ============================== Reproduces since >1 year. Jakob, can you take a look please?