stack-use-after-scope in function mg_avprintf (at mjs.c:4697)

[Vancir]

I found a stack-use-after-scope bug while mjs (latest, b1b6eac) executes the PoC on Ubuntu 20.04.

Download the PoC: mjs_stack-use-after-scope_mjs4697.zip

ASAN Report

 ==1710788==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe3fe2ab40 at pc 0x00000043d118 bp 0x7ffe3fe29db0 sp 0x7ffe3fe29530                                                   
READ of size 2 at 0x7ffe3fe2ab40 thread T0                                                                                                                                                     
    #0 0x43d117 in printf_common(void*, char const*, __va_list_tag*) (/data/song/projects/latest-programs/mjs/mjs-bin+0x43d117)                                                                
    #1 0x4ced1d in mg_avprintf /data/song/projects/latest-programs/mjs/BUILD/mjs.c:4697:9                                                                                                      
    #2 0x4cebc4 in mg_asprintf /data/song/projects/latest-programs/mjs/BUILD/mjs.c:4686:9                                                                                                      
    #3 0x4dcdaf in mjs_prepend_errorf /data/song/projects/latest-programs/mjs/BUILD/mjs.c:7649:5                                                                                               
    #4 0x4db7f9 in mjs_mkstr /data/song/projects/latest-programs/mjs/BUILD/mjs.c                                                                                                               
    #5 0x4dd8ee in mjs_exec_internal /data/song/projects/latest-programs/mjs/BUILD/mjs.c:9044:5                                                                                                
    #6 0x4ddaeb in mjs_exec_file /data/song/projects/latest-programs/mjs/BUILD/mjs.c:9067:11                                                                                                   
    #7 0x4e1df7 in main /data/song/projects/latest-programs/mjs/BUILD/mjs.c:11406:13                                                                                                           
    #8 0x7f55fa79cd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f55fa79ce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x41f344 in _start (/data/song/projects/latest-programs/mjs/mjs-bin+0x41f344)
                                               
Address 0x7ffe3fe2ab40 is located in stack of thread T0 at offset 160 in frame
    #0 0x4df2ff in mjs_execute /data/song/projects/latest-programs/mjs/BUILD/mjs.c:8521
                                               
  This frame has 13 object(s):
    [32, 36) 'llen' (line 8591)
    [48, 52) 'llen51' (line 8600)
    [64, 68) 'llen61' (line 8605)
    [80, 84) 'llen77' (line 8619)
    [96, 100) 'llen94' (line 8627)
    [112, 120) 'val138' (line 8659)
    [144, 148) 'llen183' (line 8700)
    [160, 164) 'llen198' (line 8706) <== Memory access at offset 160 is inside this variable
    [176, 180) 'llen208' (line 8713)
    [192, 196) 'llen1' (line 8833)
    [208, 212) 'llen2' (line 8833)
    [224, 228) 'l1' (line 8879)
    [240, 244) 'l2' (line 8879)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope (/data/song/projects/latest-programs/mjs/mjs-bin+0x43d117) in printf_common(void*, char const*, __va_list_tag*)

Steps to reproduce

git clone https://github.com/cesanta/mjs.git
cd mjs
clang -g -O1 -fsanitize=address -fno-omit-frame-pointer -Wno-error -DMJS_MAIN mjs.c -dl -o mjs_asan
./mjs_asan -f PoC