697244 – (CVE-2016-9136) heap-buffer-overflow in jsU_chartorune, buffer overread

Bug 697244 (CVE-2016-9136) - heap-buffer-overflow in jsU_chartorune, buffer overread

Summary: heap-buffer-overflow in jsU_chartorune, buffer overread

Status:	RESOLVED FIXED

Alias:	CVE-2016-9136

Product:	MuJS
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Tor Andersson

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-10-26 05:12 UTC by Shi Ji
Modified:	2016-10-31 20:24 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
poc and stack trace (1.00 KB, application/x-zip-compressed) 2016-10-26 05:12 UTC, Shi Ji	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Shi Ji 2016-10-26 05:12:18 UTC

Created attachment 13050 [details]
poc and stack trace

# Vulnerability
mujs overread in jsU_chartorune of utf.c

# Version
git head version

# Address Sanitizer Output
ASAN:SIGSEGV
=================================================================
==14912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf5a0057a at pc 0x817b7d3 bp 0xffdcf218 sp 0xffdcf210
READ of size 1 at 0xf5a0057a thread T0
    #0 0x817b7d2 in jsU_chartorune /home/puzzor/puzzor/mujs/utf.c:55
    #1 0x82eb0c3 in textpush /home/puzzor/puzzor/mujs/jslex.c:155
    #2 0x82eb0c3 in lexescape /home/puzzor/puzzor/mujs/jslex.c:404
    #3 0x82eb0c3 in lexstring /home/puzzor/puzzor/mujs/jslex.c:422
    #4 0x82b0ec1 in jsY_lexx /home/puzzor/puzzor/mujs/jslex.c:582
    #5 0x82b0ec1 in jsY_lex /home/puzzor/puzzor/mujs/jslex.c:722
    #6 0x831ef3f in jsP_next /home/puzzor/puzzor/mujs/jsparse.c:132
    #7 0x831ef3f in jsP_parse /home/puzzor/puzzor/mujs/jsparse.c:944
    #8 0x81489ee in js_loadstringx /home/puzzor/puzzor/mujs/jsstate.c:55
    #9 0x8147ff8 in js_loadstring /home/puzzor/puzzor/mujs/jsstate.c:70
    #10 0x8147ff8 in js_loadfile /home/puzzor/puzzor/mujs/jsstate.c:121
    #11 0x81494d7 in js_dofile /home/puzzor/puzzor/mujs/jsstate.c:150
    #12 0x80cd7dc in main /home/puzzor/puzzor/mujs/main.c:175
    #13 0xf74cbaf2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
    #14 0x80ccc84 in _start (/home/varas/puzzor/mujs/build/mujs+0x80ccc84)


# PoC
See poc

# Analysis
The program will unconditionally read the next character if it encountered a '"' with a  '/' later,similarly as Bug 697136


# Report Timeline
2016.10.26: Shi Ji(@Puzzor) discovered this issue

# Credit
Shi Ji(@Puzzor) of VARAS@IIE

# Repro
build with asan, run the poc with ./mujs poc

Comment 1 Tor Andersson 2016-10-31 05:11:49 UTC

commit a0ceaf5050faf419401fe1b83acfa950ec8a8a89
Author: Tor Andersson <tor.andersson@artifex.com>
Date:   Mon Oct 31 13:05:37 2016 +0100

    Fix 697244: Check for incomplete escape sequence at end of input.