Bug 697244 (CVE-2016-9136) - heap-buffer-overflow in jsU_chartorune, buffer overread
Summary: heap-buffer-overflow in jsU_chartorune, buffer overread
Alias: CVE-2016-9136
Product: MuJS
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: PC Linux
: P4 normal
Assignee: Tor Andersson
QA Contact: Bug traffic
Depends on:
Reported: 2016-10-26 05:12 UTC by Shi Ji
Modified: 2016-10-31 20:24 UTC (History)
1 user (show)

See Also:
Word Size: ---

poc and stack trace (1.00 KB, application/x-zip-compressed)
2016-10-26 05:12 UTC, Shi Ji

Note You need to log in before you can comment on or make changes to this bug.
Description Shi Ji 2016-10-26 05:12:18 UTC
Created attachment 13050 [details]
poc and stack trace

# Vulnerability
mujs overread in jsU_chartorune of utf.c

# Version
git head version

# Address Sanitizer Output
==14912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5a0057a at pc 0x817b7d3 bp 0xffdcf218 sp 0xffdcf210
READ of size 1 at 0xf5a0057a thread T0
    #0 0x817b7d2 in jsU_chartorune /home/puzzor/puzzor/mujs/utf.c:55
    #1 0x82eb0c3 in textpush /home/puzzor/puzzor/mujs/jslex.c:155
    #2 0x82eb0c3 in lexescape /home/puzzor/puzzor/mujs/jslex.c:404
    #3 0x82eb0c3 in lexstring /home/puzzor/puzzor/mujs/jslex.c:422
    #4 0x82b0ec1 in jsY_lexx /home/puzzor/puzzor/mujs/jslex.c:582
    #5 0x82b0ec1 in jsY_lex /home/puzzor/puzzor/mujs/jslex.c:722
    #6 0x831ef3f in jsP_next /home/puzzor/puzzor/mujs/jsparse.c:132
    #7 0x831ef3f in jsP_parse /home/puzzor/puzzor/mujs/jsparse.c:944
    #8 0x81489ee in js_loadstringx /home/puzzor/puzzor/mujs/jsstate.c:55
    #9 0x8147ff8 in js_loadstring /home/puzzor/puzzor/mujs/jsstate.c:70
    #10 0x8147ff8 in js_loadfile /home/puzzor/puzzor/mujs/jsstate.c:121
    #11 0x81494d7 in js_dofile /home/puzzor/puzzor/mujs/jsstate.c:150
    #12 0x80cd7dc in main /home/puzzor/puzzor/mujs/main.c:175
    #13 0xf74cbaf2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #14 0x80ccc84 in _start (/home/varas/puzzor/mujs/build/mujs+0x80ccc84)

# PoC
See poc

# Analysis
The program will unconditionally read the next character if it encountered a '"' with a  '/' later,similarly as Bug 697136

# Report Timeline
2016.10.26: Shi Ji(@Puzzor) discovered this issue

# Credit
Shi Ji(@Puzzor) of VARAS@IIE

# Repro
build with asan, run the poc with ./mujs poc
Comment 1 Tor Andersson 2016-10-31 05:11:49 UTC
commit a0ceaf5050faf419401fe1b83acfa950ec8a8a89
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Mon Oct 31 13:05:37 2016 +0100

    Fix 697244: Check for incomplete escape sequence at end of input.