Bug 697142

Summary: MUJS library use-after-free in 'Rp_toString' function
Product: MuJS Reporter: op7ic <op7ica>
Component: generalAssignee: Tor Andersson <tor.andersson>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---

Description op7ic 2016-09-21 06:00:53 UTC 
Source file: 
mujs/jsregexp.c:161

Function:
Rp_toString

Compile Flags

CFLAGS += -g3 -ggdb -O0
Compile Command: 
make

Valgrind short output: 

> valgrind ../../temp/mujs/build/mujs /tmp/Rp_toString_UaF.txt
==59994== Memcheck, a memory error detector
==59994== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==59994== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==59994== Command: ../../temp/mujs/build/mujs /tmp/Rp_toString_UaF.txt
==59994==
==59994== Invalid read of size 1
==59994==    at 0x4C2EDD2: strlen (vg_replace_strmem.c:454)
==59994==    by 0x416E35: Rp_toString (jsregexp.c:161)
==59994==    by 0x40C573: jsR_callcfunction (jsrun.c:1015)
==59994==    by 0x40C89D: js_call (jsrun.c:1057)
==59994==    by 0x4021FE: jsV_toString (jsvalue.c:56)
==59994==    by 0x4023EA: jsV_toprimitive (jsvalue.c:103)
==59994==    by 0x4029B5: jsV_tonumber (jsvalue.c:209)
==59994==    by 0x409DF4: js_toint32 (jsrun.c:263)
==59994==    by 0x40EBBF: jsR_run (jsrun.c:1618)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==  Address 0x5e2d919 is 9 bytes inside a block of size 26 free'd
==59994==    at 0x4C2CDFB: free (vg_replace_malloc.c:530)
==59994==    by 0x4040AB: js_defaultalloc (jsstate.c:13)
==59994==    by 0x409103: js_free (jsrun.c:50)
==59994==    by 0x407747: js_gc (jsgc.c:205)
==59994==    by 0x40D51B: jsR_run (jsrun.c:1279)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==    by 0x40C4B8: jsR_callscript (jsrun.c:998)
==59994==    by 0x40C83D: js_call (jsrun.c:1053)
==59994==    by 0x4046A1: js_dofile (jsstate.c:152)
==59994==    by 0x401EBB: main (main.c:176)
==59994==  Block was alloc'd at
==59994==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==59994==    by 0x4040C6: js_defaultalloc (jsstate.c:17)
==59994==    by 0x40906E: js_malloc (jsrun.c:34)
==59994==    by 0x40912D: jsV_newmemstring (jsrun.c:55)
==59994==    by 0x409532: js_pushstring (jsrun.c:115)
==59994==    by 0x4037EB: js_concat (jsvalue.c:512)
==59994==    by 0x40E6A4: jsR_run (jsrun.c:1551)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==    by 0x40C4B8: jsR_callscript (jsrun.c:998)
==59994==    by 0x40C83D: js_call (jsrun.c:1053)
==59994==
==59994== Invalid read of size 1
==59994==    at 0x4C2EDE4: strlen (vg_replace_strmem.c:454)
==59994==    by 0x416E35: Rp_toString (jsregexp.c:161)
==59994==    by 0x40C573: jsR_callcfunction (jsrun.c:1015)
==59994==    by 0x40C89D: js_call (jsrun.c:1057)
==59994==    by 0x4021FE: jsV_toString (jsvalue.c:56)
==59994==    by 0x4023EA: jsV_toprimitive (jsvalue.c:103)
==59994==    by 0x4029B5: jsV_tonumber (jsvalue.c:209)
==59994==    by 0x409DF4: js_toint32 (jsrun.c:263)
==59994==    by 0x40EBBF: jsR_run (jsrun.c:1618)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==  Address 0x5e2d91a is 10 bytes inside a block of size 26 free'd
==59994==    at 0x4C2CDFB: free (vg_replace_malloc.c:530)
==59994==    by 0x4040AB: js_defaultalloc (jsstate.c:13)
==59994==    by 0x409103: js_free (jsrun.c:50)
==59994==    by 0x407747: js_gc (jsgc.c:205)
==59994==    by 0x40D51B: jsR_run (jsrun.c:1279)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==    by 0x40C4B8: jsR_callscript (jsrun.c:998)
==59994==    by 0x40C83D: js_call (jsrun.c:1053)
==59994==    by 0x4046A1: js_dofile (jsstate.c:152)
==59994==    by 0x401EBB: main (main.c:176)
==59994==  Block was alloc'd at
==59994==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==59994==    by 0x4040C6: js_defaultalloc (jsstate.c:17)
==59994==    by 0x40906E: js_malloc (jsrun.c:34)
==59994==    by 0x40912D: jsV_newmemstring (jsrun.c:55)
==59994==    by 0x409532: js_pushstring (jsrun.c:115)
==59994==    by 0x4037EB: js_concat (jsvalue.c:512)
==59994==    by 0x40E6A4: jsR_run (jsrun.c:1551)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==    by 0x40C4B8: jsR_callscript (jsrun.c:998)
==59994==    by 0x40C83D: js_call (jsrun.c:1053)
==59994==
==59994== Invalid read of size 1
==59994==    at 0x4C2EA89: strcat (vg_replace_strmem.c:303)
==59994==    by 0x416E6C: Rp_toString (jsregexp.c:163)
==59994==    by 0x40C573: jsR_callcfunction (jsrun.c:1015)
==59994==    by 0x40C89D: js_call (jsrun.c:1057)
==59994==    by 0x4021FE: jsV_toString (jsvalue.c:56)
==59994==    by 0x4023EA: jsV_toprimitive (jsvalue.c:103)
==59994==    by 0x4029B5: jsV_tonumber (jsvalue.c:209)
==59994==    by 0x409DF4: js_toint32 (jsrun.c:263)
==59994==    by 0x40EBBF: jsR_run (jsrun.c:1618)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==  Address 0x5e2d919 is 9 bytes inside a block of size 26 free'd
==59994==    at 0x4C2CDFB: free (vg_replace_malloc.c:530)
==59994==    by 0x4040AB: js_defaultalloc (jsstate.c:13)
==59994==    by 0x409103: js_free (jsrun.c:50)
==59994==    by 0x407747: js_gc (jsgc.c:205)
==59994==    by 0x40D51B: jsR_run (jsrun.c:1279)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==    by 0x40C4B8: jsR_callscript (jsrun.c:998)
==59994==    by 0x40C83D: js_call (jsrun.c:1053)
==59994==    by 0x4046A1: js_dofile (jsstate.c:152)
==59994==    by 0x401EBB: main (main.c:176)
==59994==  Block was alloc'd at
==59994==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==59994==    by 0x4040C6: js_defaultalloc (jsstate.c:17)
==59994==    by 0x40906E: js_malloc (jsrun.c:34)
==59994==    by 0x40912D: jsV_newmemstring (jsrun.c:55)
==59994==    by 0x409532: js_pushstring (jsrun.c:115)
==59994==    by 0x4037EB: js_concat (jsvalue.c:512)
==59994==    by 0x40E6A4: jsR_run (jsrun.c:1551)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==    by 0x40C4B8: jsR_callscript (jsrun.c:998)
==59994==    by 0x40C83D: js_call (jsrun.c:1053)
==59994==
==59994== Invalid read of size 1
==59994==    at 0x4C2EAA3: strcat (vg_replace_strmem.c:303)
==59994==    by 0x416E6C: Rp_toString (jsregexp.c:163)
==59994==    by 0x40C573: jsR_callcfunction (jsrun.c:1015)
==59994==    by 0x40C89D: js_call (jsrun.c:1057)
==59994==    by 0x4021FE: jsV_toString (jsvalue.c:56)
==59994==    by 0x4023EA: jsV_toprimitive (jsvalue.c:103)
==59994==    by 0x4029B5: jsV_tonumber (jsvalue.c:209)
==59994==    by 0x409DF4: js_toint32 (jsrun.c:263)
==59994==    by 0x40EBBF: jsR_run (jsrun.c:1618)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==  Address 0x5e2d91a is 10 bytes inside a block of size 26 free'd
==59994==    at 0x4C2CDFB: free (vg_replace_malloc.c:530)
==59994==    by 0x4040AB: js_defaultalloc (jsstate.c:13)
==59994==    by 0x409103: js_free (jsrun.c:50)
==59994==    by 0x407747: js_gc (jsgc.c:205)
==59994==    by 0x40D51B: jsR_run (jsrun.c:1279)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==    by 0x40C4B8: jsR_callscript (jsrun.c:998)
==59994==    by 0x40C83D: js_call (jsrun.c:1053)
==59994==    by 0x4046A1: js_dofile (jsstate.c:152)
==59994==    by 0x401EBB: main (main.c:176)
==59994==  Block was alloc'd at
==59994==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==59994==    by 0x4040C6: js_defaultalloc (jsstate.c:17)
==59994==    by 0x40906E: js_malloc (jsrun.c:34)
==59994==    by 0x40912D: jsV_newmemstring (jsrun.c:55)
==59994==    by 0x409532: js_pushstring (jsrun.c:115)
==59994==    by 0x4037EB: js_concat (jsvalue.c:512)
==59994==    by 0x40E6A4: jsR_run (jsrun.c:1551)
==59994==    by 0x40C3F2: jsR_callfunction (jsrun.c:982)
==59994==    by 0x40C7C9: js_call (jsrun.c:1049)
==59994==    by 0x40E1E5: jsR_run (jsrun.c:1460)
==59994==    by 0x40C4B8: jsR_callscript (jsrun.c:998)
==59994==    by 0x40C83D: js_call (jsrun.c:1053)
==59994==
ReferenceError: 'aWturn' is not defined
        at /tmp/Rp_toString_UaF.txt:1
        at /tmp/Rp_toString_UaF.txt:1
==59994==
==59994== HEAP SUMMARY:
==59994==     in use at exit: 1,117,425 bytes in 3,659 blocks
==59994==   total heap usage: 54,235 allocs, 50,576 frees, 19,517,848 bytes allocated
==59994==
==59994== LEAK SUMMARY:
==59994==    definitely lost: 17,272 bytes in 1 blocks
==59994==    indirectly lost: 1,097,217 bytes in 3,656 blocks
==59994==      possibly lost: 2,936 bytes in 2 blocks
==59994==    still reachable: 0 bytes in 0 blocks
==59994==         suppressed: 0 bytes in 0 blocks
==59994== Rerun with --leak-check=full to see details of leaked memory
==59994==
==59994== For counts of detected and suppressed errors, rerun with: -v
==59994== ERROR SUMMARY: 34 errors from 4 contexts (suppressed: 0 from 0)


Affected code:

154 static void Rp_toString(js_State *J)
155 {
156         js_Regexp *re;
157         char *out;
158
159         re = js_toregexp(J, 0);
160
161         out = js_malloc(J, strlen(re->source) + 6); /* extra space for //gim */
162         strcpy(out, "/");
163         strcat(out, re->source);
164         strcat(out, "/");
165         if (re->flags & JS_REGEXP_G) strcat(out, "g");
166         if (re->flags & JS_REGEXP_I) strcat(out, "i");
167         if (re->flags & JS_REGEXP_M) strcat(out, "m");
168
169         if (js_try(J)) {
170                 js_free(J, out);
171                 js_throw(J);
172         }
173         js_pop(J, 0);
174         js_pushstring(J, out);
175         js_endtry(J);
176         js_free(J, out);
177 }


Proof Of Concept (base64 encoded): 

> base64 /tmp/Rp_toString_UaF.txt
ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihkKXtyZXR1cm4gY307aWYoDCcn
LnJlcGxhY2UoL14vJVN0cmluZykpe3doaWxlKGMtZCl7ZFtjXT1rW2NdfHxjfWs9W2Z1bmN0aW9u
KGUpe3JldHVybiBDW2VdfV07ZT1mdW5jdGlvbigpe3JldHVybidcXHUrJ307Yz0xfTt3aGlsZShj
LS0pe2lmKGtbY10pe2QrcC5yZXBsYWNlKG5ldyBSZWdFeHAoJ1w2QXx4NjR8eDRcYicrZShhKSsn
XGViJywnZycpJmtbY10pfX1hV3R1cm4rcH0oJ2qNjY2NU3RyaW5EjY2NjY2NjY2NjY2NfmluZzl8
NDV8NTCGMzN8NDQxfDM5fDQ4fDQ3fDM0fDM3fDQ2fDPxfDQ5fDM1fDMyfDMxfDM6fG9bY109a1tj
XXx8Y31wPVtmdW5jdGlvbnwyMVwnWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpYWlpaQFpaWlpaWlpa
YFpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWgFaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaRlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWjdaWlpaWlpa
GlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWmRaWjtaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaWlpaWv//WlpaWlpaWlpaWlpaQyk7cih5KTtyKEYsSiknLDYyLDB4ZDlF
LCd8fHx8fHx1/Hx8eDIwfF8weDJiODd8eDY1fHgyQzJ4NjF8eDcyfHg3M3x4Njl8eE44fHg2RXx4
NzR8eDZDfHg2RnxfMHgyNjRleDJ8eDZaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlraWlpaWlpaWlpa
WlpaWlpaWlpaWlpAWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa6ANaWlpa
WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaZlpaWlpaWlpaWlpaWlpaWlpaWlpaWjl8NDV8NTCGMzN8NDQxfDM5fDQ4fDQ3
fDM0fDM3fDQ2fDPxfDQ5fDM1fDMyfDMxfDM6fG9bY109a1tjXXx8Y31wPVtmdW5jdGlvbnwyMVwn
WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpYWlpaQFpaWlpaWlpaYFpaWlpaWkZaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWgFaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaRlpaWlpa
WlpaWlpaWlpaWlogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIFpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaWtpaWlpaWlpaT1paWlpaWlpaWlpaWkBaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaWlpaWlroA1paWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpGWlpaWlpaWlpaWlpaWlpaWiAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa2lpaWlpaWlpP
WlpaWlpaWlpaWlpaQFpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWugDWlpa
WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaWvj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4WlpaWlpaWlpaWlpaQ/j4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4
+Pj4+FpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWmV0dXJ2WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWm5a
WlpaWlpaa1paWloDWlpaWlpaWlpaWlo/WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaWlpaWlpa//9aWlpaWlpaWlpaWlpDKTtyKHkpO3IoRixKKScsNjIsMHhk
OUUsJ3x8fHx8fHX8fHx4MjB8XzB4MmI4N3x4NjV8eDJDMng2MXx4NzJ8eDczfHg2OXx4Tjh8eDZF
fHg3NHx4NkN8eDZGfF8weDI2NGV4Mnx4NjNNWlpaWlpaclpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa
WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaZXR1cm5a
WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpablpaWlpaWlprWlpaWgNaWlpa
WlpaWlpaWj9aWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpDKTtyXzBleD18eDU0fF8w
eDI2NGV4M3xzcGFjZXx4NEZ8eDREfG1vbnRoU3RyaW5nfHg0MXx4NjJ8eDc5fGNvbW1hfHg3Nnx4
Nzd8eDJFfHg2RHx4MkYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICB8eDZBfHg2NHx4NDZ8eDQ0fDEwfHg1M3wxMXwxMnx4NEV8ZnVuY3Rpb26fMTMnLnNwbGl0
KCcnKSwwLHt9KSkKCg==

Proof Of Concept execution:
base64 -d /tmp/b64PoC.poc > /tmp/proof.txt
valgrind ../../temp/mujs/build/mujs /tmp/proof.txt
Comment 1 Tor Andersson 2016-09-21 07:22:51 UTC 
commit 5c337af4b3df80cf967e4f9f6a21522de84b392a
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Wed Sep 21 16:01:08 2016 +0200

    Fix bug 697142: Stale string pointer stored in regexp object.
    
    Make sure to make a copy of the source pattern string.
    A case we missed when adding short and memory strings to the runtime.
    The code assumed all strings passed to it were either literal or interned.