Re: f=load("load(f)");f() bug found by AFL fuzzer

• From: Mike Pall <mike-1503@xxxxxxxxxx>
• To: luajit@xxxxxxxxxxxxx
• Date: Mon, 2 Mar 2015 18:57:59 +0100

Alexander Nasonov wrote:
> But it's not easy to fool afl. These are the two programs it found:
> 
> s="";s=load"adstrs=loadstring(s);wstring(s)ing(s);wstring(s)";s=loadstring(s);wstring(s);while
>  s do s=s(s) end
> s="";s=load"adstrins=loadstring(s);wstrg(s);wstring(s)";s=loadstring(s);wstring(s);while
>  s do s=s(s) end
> 
> both crash LuaJIT 2.0.

This doesn't crash for me. Neither in 2.0.3 nor in 2.0 git, nor in
2.1 git. Neither when compiled as x86 nor as x64.

It complains about "attempt to call global 'wstring' (a nil value)".
But that's expected, since 'wstring' is not defined. 

--Mike

• Follow-Ups:
  • Re: f=load("load(f)");f() bug found by AFL fuzzer
    • From: Coda Highland
  • Re: f=load("load(f)");f() bug found by AFL fuzzer
    • From: Alexander Nasonov

• References:
  • f=load("load(f)");f() bug found by AFL fuzzer
    • From: Alexander Nasonov

Other related posts:

• » f=load("load(f)");f() bug found by AFL fuzzer- Alexander Nasonov
• » Re: f=load("load(f)");f() bug found by AFL fuzzer - Mike Pall
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Coda Highland
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Coda Highland
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Coda Highland
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Coda Highland
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Coda Highland
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Alexander Nasonov
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Alexander Nasonov
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Mike Pall
• » Re: f=load("load(f)");f() bug found by AFL fuzzer- Alexander Nasonov

1. Home
2. luajit
3. Archive
4. 03-2015

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---