Skip to content

Heap-buffer-overflow in lexer_consume_next_character: jerry-core/parser/js/js-lexer.c:1856 #5254

New issue
New issue
Open
Open
Heap-buffer-overflow in lexer_consume_next_character: jerry-core/parser/js/js-lexer.c:1856#5254
@ericliuu

Description

@ericliuu
ericliuu
opened on Sep 27, 2025

Hello,

I found a lexer crash when running some malformed JavaScript.

JerryScript revision

355ab24

Build platform

Ubuntu 24.04.2

Build steps
python3 tools/build.py --clean --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --compile-flag=-fsanitize=address --compile-flag=-g --strip=off --lto=off --error-messages=on --logging=on --line-info=on --stack-limit=20
Test case
class C {
  static {
  }

The error only occurs if there is no newline at the end of the test case. To create the test case, one way is to copy the above text into vim with set binary and set noeol enabled.

Output
=================================================================
==1722506==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50300000005b at pc 0x588491d853f2 bp 0x7ffcd5f2fef0 sp 0x7ffcd5f2fee0
READ of size 1 at 0x50300000005b thread T0
    #0 0x588491d853f1 in lexer_consume_next_character jerryscript/jerry-core/parser/js/js-lexer.c:1856
    #1 0x588491d93021 in parser_parse_class_body jerryscript/jerry-core/parser/js/js-parser-expr.c:861
    #2 0x588491d93021 in parser_parse_class jerryscript/jerry-core/parser/js/js-parser-expr.c:1137
    #3 0x588491d9c77d in parser_parse_statements jerryscript/jerry-core/parser/js/js-parser-statm.c:2787
    #4 0x588491d325a7 in parser_parse_source jerryscript/jerry-core/parser/js/js-parser.c:2280
    #5 0x588491cd38eb in jerry_parse_common jerryscript/jerry-core/api/jerryscript.c:413
    #6 0x588491cd3b19 in jerry_parse jerryscript/jerry-core/api/jerryscript.c:481
    #7 0x588491da6ff0 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:52
    #8 0x588491da7094 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63
    #9 0x588491ccdd89 in main jerryscript/jerry-main/main-desktop.c:156
    #10 0x7ff45422a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7ff45422a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #12 0x588491cd04f4 in _start (jerryscript/build/bin/jerry+0x2a4f4) (BuildId: 17c3aadef0d80cfcfe75b8301417b3c3fd3fce2e)

0x50300000005b is located 0 bytes after 27-byte region [0x503000000040,0x50300000005b)
allocated by thread T0 here:
    #0 0x7ff4546fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x588491da79db in jerry_port_source_read jerryscript/jerry-port/common/jerry-port-fs.c:67
    #2 0x588491da6ed1 in jerryx_source_parse_script jerryscript/jerry-ext/util/sources.c:33
    #3 0x588491da7094 in jerryx_source_exec_script jerryscript/jerry-ext/util/sources.c:63
    #4 0x588491ccdd89 in main jerryscript/jerry-main/main-desktop.c:156
    #5 0x7ff45422a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #6 0x7ff45422a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #7 0x588491cd04f4 in _start (jerryscript/build/bin/jerry+0x2a4f4) (BuildId: 17c3aadef0d80cfcfe75b8301417b3c3fd3fce2e)

SUMMARY: AddressSanitizer: heap-buffer-overflow jerryscript/jerry-core/parser/js/js-lexer.c:1856 in lexer_consume_next_character
Shadow bytes around the buggy address:
  0x502ffffffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x503000000000: fa fa 00 00 00 fa fa fa 00 00 00[03]fa fa fa fa
  0x503000000080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x503000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1722506==ABORTING

With the --debug flag:

ICE: Assertion 'context_p->source_p < context_p->source_end_p' failed at jerryscript/jerry-core/parser/js/js-lexer.c(lexer_consume_next_character):1851.
Error: JERRY_FATAL_FAILED_ASSERTION
Aborted
Expected behavior

Should result in a lexer error instead of a crash

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions