`duk_to_pointer` shows an use-after-free

[gal1ium]

Hi! We met an ASAN UAF report while testing the APIs, the POC is:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "duktape.h"

duk_context* r;
int main(void)
{
  r = duk_create_heap_default();
  duk_push_buffer(r, 0x400000, 0x0);
  void* p1 = duk_to_pointer(r, 0);
  printf("ptr:%p\n", p1);
  printf("value:%x\n", *(int*)p1);
  return 0;
}

And the ASAN report is:

ptr:0x7ffff43fe800
=================================================================
==524610==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ffff43fe800 at pc 0x0000004c4419 bp 0x7fffffffe620 sp 0x7fffffffe618
READ of size 4 at 0x7ffff43fe800 thread T0
    #0 0x4c4418 in main (~/a.out+0x4c4418)
    #1 0x7ffff7c45082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #2 0x41c44d in _start (~/a.out+0x41c44d)

0x7ffff43fe800 is located 0 bytes inside of 4194336-byte region [0x7ffff43fe800,0x7ffff47fe820)
freed by thread T0 here:
    #0 0x49490d in free (~/a.out+0x49490d)
    #1 0x4edd37 in duk_replace ~/duktape-2.7.0/src-input/duk_api_stack.c:1272:2
    #2 0x4edd37 in duk_to_pointer ~/duktape-2.7.0/src-input/duk_api_stack.c:3625:2

previously allocated by thread T0 here:
    #0 0x494b8d in malloc (~/a.out+0x494b8d)
    #1 0x55dd58 in duk__heap_mem_alloc_slowpath ~/duktape-2.7.0/src-input/duk_heap_memory.c:58:9

SUMMARY: AddressSanitizer: heap-use-after-free (~/a.out+0x4c4418) in main

Could you help us to verify this issue? Thank you!

[svaarala]

Thanks, I'll try to verify this when I get a chance :+1: