SEGV has occurred when running program mqjs in function get_mblock_size at mquickjs.c

[Du4t]

Description

SEGV has occurred when running program mqjs in function get_mblock_size at mquickjs.c:11783:43

Version

commit 74b7ec5003a06d62d8cfb60448fa2b93c0441d1b (HEAD -> main, origin/main, origin/HEAD)
Author: Fabrice Bellard <fabrice@bellard.org>
Date:   Fri Dec 26 12:34:35 2025 +0100

    raise an error if the array length was modified in Array.prototype.splice as handling the case may not have any practical use (#20)

Steps to reproduce

$ git clone https://github.com/bellard/mquickjs
$ cd mquickjs; make -j12; 
$ ./mqjs -d -o a -m32 ./poc-get_mblock_size-SEGV

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1852188==ERROR: AddressSanitizer: SEGV on unknown address 0x7c253bfffeb8 (pc 0x5dd923694462 bp 0x7ffe93bb97e0 sp 0x7ffe93bb97e0 T0)
==1852188==The signal is caused by a READ memory access.
    #0 0x5dd923694462 in get_mblock_size mquickjs/mquickjs.c:11783:43
    #1 0x5dd9236942d0 in JS_FreeContext mquickjs/mquickjs.c:3642:16
    #2 0x5dd92368424d in compile_file mquickjs/mqjs.c:424:5
    #3 0x5dd92368424d in main mquickjs/mqjs.c:719:9
    #4 0x7c259fe29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #5 0x7c259fe29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #6 0x5dd9235c3484 in _start (mquickjs/mqjs+0x2b484) (BuildId: 2ddff08769491bf2d9e34bc158ae37c04f43f1a1)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV mquickjs/mquickjs.c:11783:43 in get_mblock_size
==1852188==ABORTING

POC

https://github.com/Du4t/POC/blob/main/mquickjs/poc-get_mblock_size-SEGV

Impact

Potentially causing DoS

[davidfiala]

How did you come up with this? The PoC is appreciated, but given that it includes far more than it needs, it looks suspicious AF.

The above PoC can be reduced to just this: ""(123) an empty string followed by a parenthetical expression.

I think there's a couple things here:

1. Missing parse error on a non-function (ie literal) followed by a parenthetical. ie: (123)(456) or "string"(123) during bytecode generation.
2. Presumably gc_compact_heap_64to32 modified the heap in a way incompatible with JS_FreeContext ? That's the SEGV source.

The above PoC is ridiculous, but it takes demonstrates an empty-string-then-parenthetical-with-constant-number to cause the SEGV. But it also appears to be invalid JS in general because it ends in (:, so it's probably identified another separate parse error case too.

It can be further reduced to any empty string at the start of the program where zero or more constant expressions exist before the empty string:

// assuming a x86_64 binary: ./mqjs -o output.bin -m32 poc.js # only crashes with -o and -m32 present

// a file starting with just double quotes:
"" // crash

// a file starting with just single quotes:
'' // crash

// or even a file string with a const expression and then empty quotes:
123;
"";

Reenforcing this is the fact that if you compile mqjs as x86_32, then you just get normal parse errors when you compile and run the bytecode.