Skip to content

njs_process_script_fuzzer crashing test case in njs_function_alloc #921

New issue
New issue
Closed
Closed
njs_process_script_fuzzer crashing test case in njs_function_alloc#921
Labels
bug
@gal1ium

Description

@gal1ium
gal1ium
opened on May 31, 2025

Describe the bug

Hi! We found a crashing test case when testing with the njs_process_script_fuzzer fuzzing driver.

  • The bug is reproducible with the latest version of njs.
  • I minimized the code and NGINX configuration to the smallest
    possible to reproduce the issue.

To reproduce

Steps to reproduce the behavior:

  • JS script
var a=[0]
a.forEach(
    function() {
        async function foo(){
            Function`
                });
                let b="";
                b;
                function o(){};
                //`
        }
        foo()
    }
)

Asan Output

==3846895==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x00000062fdf2 bp 0xbebebebebebebe4e sp 0x7ffd9424b250 T0)
==3846895==The signal is caused by a READ memory access.
==3846895==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x62fdf2 in njs_function_alloc /src/njs/src/njs_function.c:22:45
    #1 0x634fde in njs_function_constructor /src/njs/src/njs_function.c:1130:16
    #2 0x6329d0 in njs_function_native_call /src/njs/src/njs_function.c:645:11
    #3 0x6329d0 in njs_function_frame_invoke /src/njs/src/njs_function.c:681:16
    #4 0x537eda in njs_vmcode_interpreter /src/njs/src/njs_vmcode.c:1514:15
    #5 0x6331e1 in njs_function_lambda_call /src/njs/src/njs_function.c:608:11
    #6 0x67297a in njs_async_function_frame_invoke /src/njs/src/njs_async.c:28:11
    #7 0x537eda in njs_vmcode_interpreter /src/njs/src/njs_vmcode.c:1514:15
    #8 0x6331e1 in njs_function_lambda_call /src/njs/src/njs_function.c:608:11
    #9 0x61ef6a in njs_function_call /src/njs/src/njs_function.h:167:12
    #10 0x61ef6a in njs_array_iterator_call /src/njs/src/njs_array.c:2117:12
    #11 0x61ef6a in njs_array_handler_for_each /src/njs/src/njs_array.c:2203:16
    #12 0x6703d2 in njs_object_iterate /src/njs/src/njs_iterator.c
    #13 0x61147c in njs_array_prototype_iterator /src/njs/src/njs_array.c:2490:11
    #14 0x6329d0 in njs_function_native_call /src/njs/src/njs_function.c:645:11
    #15 0x6329d0 in njs_function_frame_invoke /src/njs/src/njs_function.c:681:16
    #16 0x537eda in njs_vmcode_interpreter /src/njs/src/njs_vmcode.c:1514:15
    #17 0x52e4f2 in njs_vm_start /src/njs/src/njs_vm.c:698:11
    #18 0x512615 in njs_engine_njs_eval /src/njs/external/njs_shell.c:1387:16
    #19 0x512165 in njs_process_script /src/njs/external/njs_shell.c:3340:11
    #20 0x510eed in njs_main /src/njs/external/njs_shell.c:454:15
    #21 0x510eed in LLVMFuzzerTestOneInput /src/njs/external/njs_shell.c:869:12

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions