Bug 697244 (CVE-2016-9136)

Summary: heap-buffer-overflow in jsU_chartorune, buffer overread
Product: MuJS Reporter: Shi Ji <puzzorsj>
Component: generalAssignee: Tor Andersson <tor.andersson>
Status: RESOLVED FIXED    
Severity: normal CC: tor.andersson
Priority: P4    
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: poc and stack trace

Description Shi Ji 2016-10-26 05:12:18 UTC
Created attachment 13050 [details]
poc and stack trace

# Vulnerability
mujs overread in jsU_chartorune of utf.c

# Version
git head version

# Address Sanitizer Output
ASAN:SIGSEGV
=================================================================
==14912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5a0057a at pc 0x817b7d3 bp 0xffdcf218 sp 0xffdcf210
READ of size 1 at 0xf5a0057a thread T0
    #0 0x817b7d2 in jsU_chartorune /home/puzzor/puzzor/mujs/utf.c:55
    #1 0x82eb0c3 in textpush /home/puzzor/puzzor/mujs/jslex.c:155
    #2 0x82eb0c3 in lexescape /home/puzzor/puzzor/mujs/jslex.c:404
    #3 0x82eb0c3 in lexstring /home/puzzor/puzzor/mujs/jslex.c:422
    #4 0x82b0ec1 in jsY_lexx /home/puzzor/puzzor/mujs/jslex.c:582
    #5 0x82b0ec1 in jsY_lex /home/puzzor/puzzor/mujs/jslex.c:722
    #6 0x831ef3f in jsP_next /home/puzzor/puzzor/mujs/jsparse.c:132
    #7 0x831ef3f in jsP_parse /home/puzzor/puzzor/mujs/jsparse.c:944
    #8 0x81489ee in js_loadstringx /home/puzzor/puzzor/mujs/jsstate.c:55
    #9 0x8147ff8 in js_loadstring /home/puzzor/puzzor/mujs/jsstate.c:70
    #10 0x8147ff8 in js_loadfile /home/puzzor/puzzor/mujs/jsstate.c:121
    #11 0x81494d7 in js_dofile /home/puzzor/puzzor/mujs/jsstate.c:150
    #12 0x80cd7dc in main /home/puzzor/puzzor/mujs/main.c:175
    #13 0xf74cbaf2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #14 0x80ccc84 in _start (/home/varas/puzzor/mujs/build/mujs+0x80ccc84)


# PoC
See poc

# Analysis
The program will unconditionally read the next character if it encountered a '"' with a  '/' later,similarly as Bug 697136


# Report Timeline
2016.10.26: Shi Ji(@Puzzor) discovered this issue

# Credit
Shi Ji(@Puzzor) of VARAS@IIE

# Repro
build with asan, run the poc with ./mujs poc
Comment 1 Tor Andersson 2016-10-31 05:11:49 UTC
commit a0ceaf5050faf419401fe1b83acfa950ec8a8a89
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Mon Oct 31 13:05:37 2016 +0100

    Fix 697244: Check for incomplete escape sequence at end of input.