| Summary: | mujs node Null ptr dereference in jscompile.c | ||
|---|---|---|---|
| Product: | MuJS | Reporter: | Shi Ji <puzzorsj> |
| Component: | general | Assignee: | Tor Andersson <tor.andersson> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | tor.andersson |
| Priority: | P4 | ||
| Version: | unspecified | ||
| Hardware: | PC | ||
| OS: | Windows NT | ||
| Customer: | Word Size: | --- | |
| Attachments: | poc and stack trace | ||
Any updates for this bug? Fixed in commit 5008105780c0b0182ea6eda83ad5598f225be3ee Author: Tor Andersson <tor.andersson@artifex.com> Date: Wed Oct 26 14:31:53 2016 +0200 Fix 697172: degenerate labeled break/continue statement. A labeled break statement will look for a matching label through its chain of parent statements. We start looking at the break statement though, so if the label is attached to the break, we'll return the break statement itself as a break target. Start looking for targets one level up instead. |
Created attachment 12977 [details] poc and stack trace # Vulnerability mujs node Null ptr dereference in jscompile.c # Version git head version # Address Sanitizer Output ASAN:SIGSEGV ================================================================= ==14904== ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x0807aac5 sp 0xbffff130 bp 0xbffff158 T0) AddressSanitizer can not provide additional info. #0 0x807aac4 in cexit /home/puzzor/puzzor/mujs/jscompile.c:798 #1 0x807cab4 in cstm /home/puzzor/puzzor/mujs/jscompile.c:1113 #2 0x807c7c2 in cstm /home/puzzor/puzzor/mujs/jscompile.c:1094 #3 0x807d30a in cstmlist /home/puzzor/puzzor/mujs/jscompile.c:1185 #4 0x807e364 in cfunbody /home/puzzor/puzzor/mujs/jscompile.c:1304 #5 0x80753d3 in newfun /home/puzzor/puzzor/mujs/jscompile.c:48 #6 0x807e4ed in jsC_compile /home/puzzor/puzzor/mujs/jscompile.c:1320 #7 0x805efc0 in js_loadstringx /home/puzzor/puzzor/mujs/jsstate.c:56 #8 0x805f114 in js_loadstring /home/puzzor/puzzor/mujs/jsstate.c:70 #9 0x805f371 in js_loadfile /home/puzzor/puzzor/mujs/jsstate.c:121 #10 0x805f4d7 in js_dofile /home/puzzor/puzzor/mujs/jsstate.c:150 #11 0x8049fbb in main /home/puzzor/puzzor/mujs/main.c:175 #12 0xb6804a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #13 0x8049560 in _start (/home/puzzor/puzzor/mujs/build/mujs+0x8049560) SUMMARY: AddressSanitizer: SEGV /home/puzzor/puzzor/mujs/jscompile.c:798 cexit ==14904== ABORTING # PoC See poc # Analysis In cexit function, a "node" may have no parent, which may lead to a null ptr dereference. Try to check whether node->parent is null before reference it. # Report Timeline 2016.09.30: Shi Ji(@Puzzor) discovered this issue # Credit Shi Ji(@Puzzor) of VARAS@IIE # Repro build with asan, run the poc with ./mujs poc