[Nasm-bugs] [Bug 3392519] New: Null pointer dereference in function bsii at nasmlib/bsi.c

noreply-nasm at gorcunov.org noreply-nasm at gorcunov.org
Thu Sep 13 22:18:56 PDT 2018 

https://bugzilla.nasm.us/show_bug.cgi?id=3392519

            Bug ID: 3392519
           Summary: Null pointer dereference in function bsii at
                    nasmlib/bsi.c
           Product: NASM
           Version: 2.14 (development)
          Hardware: All
                OS: All
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: mudongliangabcd at gmail.com
                CC: gorcunov at gmail.com, hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Build from source archive using configure

Created attachment 411675
  --> https://bugzilla.nasm.us/attachment.cgi?id=411675&action=edit
poc

There exsits one null pointer dereference in function `bsii` at
nasmlib/bsi.c:68 in nasm-2.14rc15. which can cause a segment fault.

To reproduce:
```
./configure && make
./nasm -f elf poc
```
gdb output:  
backtrace:  
```
#0  __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:198
#1  0x00005555555f2291 in bsii (string=0x0, array=0x5555558de220 <size_names>,
size=7) at nasmlib/bsi.c:68  <-------null str
#2  0x00005555555bc9e0 in parse_size (str=0x0) at asm/preproc.c:2214           
             <-------null str
#3  0x00005555555bd310 in do_directive (tline=0x7ffff7fda2d0,
output=0x7fffffffd6b8) at asm/preproc.c:2471
#4  0x00005555555c49a4 in pp_getline () at asm/preproc.c:5210
#5  0x00005555555a86ae in assemble_file (fname=0x5555558f3d60 "/dev/stdin",
depend_ptr=0x0) at asm/nasm.c:1435
#6  0x00005555555a65e5 in main (argc=6, argv=0x7fffffffda88) at asm/nasm.c:566

```
source code:
```c
// in nasmlib/bsi.c      len = 68
int bsii(const char *string, const char **array, int size)
{
    int i = -1, j = size;       /* always, i < index < j */
    while (j - i >= 2) {
        int k = (i + j) / 2;
        int l = nasm_stricmp(string, array[k]);     <-----crash null str
        if (l < 0)              /* it's in the first half */
            j = k;
            ...            

// in asm/preproc.c      len = 2214
static int parse_size(const char *str) {
    static const char *size_names[] =
        { "byte", "dword", "oword", "qword", "tword", "word", "yword" };
    static const int sizes[] =
        { 0, 1, 4, 16, 8, 10, 2, 32 };

    return sizes[bsii(str, size_names, ARRAY_SIZE(size_names))+1];    <---
crash null str
}
```

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.

More information about the Nasm-bugs mailing list