[Nasm-bugs] [Bug 3392519] New: Null pointer dereference in function bsii at nasmlib/bsi.c
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Thu Sep 13 22:18:56 PDT 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392519
Bug ID: 3392519
Summary: Null pointer dereference in function bsii at
nasmlib/bsi.c
Product: NASM
Version: 2.14 (development)
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: mudongliangabcd at gmail.com
CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Build from source archive using configure
Created attachment 411675
--> https://bugzilla.nasm.us/attachment.cgi?id=411675&action=edit
poc
There exsits one null pointer dereference in function `bsii` at
nasmlib/bsi.c:68 in nasm-2.14rc15. which can cause a segment fault.
To reproduce:
```
./configure && make
./nasm -f elf poc
```
gdb output:
backtrace:
```
#0 __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:198
#1 0x00005555555f2291 in bsii (string=0x0, array=0x5555558de220 <size_names>,
size=7) at nasmlib/bsi.c:68 <-------null str
#2 0x00005555555bc9e0 in parse_size (str=0x0) at asm/preproc.c:2214
<-------null str
#3 0x00005555555bd310 in do_directive (tline=0x7ffff7fda2d0,
output=0x7fffffffd6b8) at asm/preproc.c:2471
#4 0x00005555555c49a4 in pp_getline () at asm/preproc.c:5210
#5 0x00005555555a86ae in assemble_file (fname=0x5555558f3d60 "/dev/stdin",
depend_ptr=0x0) at asm/nasm.c:1435
#6 0x00005555555a65e5 in main (argc=6, argv=0x7fffffffda88) at asm/nasm.c:566
```
source code:
```c
// in nasmlib/bsi.c len = 68
int bsii(const char *string, const char **array, int size)
{
int i = -1, j = size; /* always, i < index < j */
while (j - i >= 2) {
int k = (i + j) / 2;
int l = nasm_stricmp(string, array[k]); <-----crash null str
if (l < 0) /* it's in the first half */
j = k;
...
// in asm/preproc.c len = 2214
static int parse_size(const char *str) {
static const char *size_names[] =
{ "byte", "dword", "oword", "qword", "tword", "word", "yword" };
static const int sizes[] =
{ 0, 1, 4, 16, 8, 10, 2, 32 };
return sizes[bsii(str, size_names, ARRAY_SIZE(size_names))+1]; <---
crash null str
}
```
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list