[Nasm-bugs] [Bug 3392507] memory corruption of nasm when handling a crafed file due to function assemble_file(inname, depend_ptr) at asm/nasm.c:482
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Wed Sep 26 12:54:25 PDT 2018
https://bugzilla.nasm.us/show_bug.cgi?id=3392507
--- Comment #4 from Scott Gayou <sgayou at redhat.com> ---
This appears to be due to the following pattern in preproc.c:
```c
tt = tokenize(tline->text);
tt = expand_smacro(tt);
size = parse_size(tt->text);
```
In this case, expand_smacro errors out. ->text is set to NULL, and -> type is
set to TOK_WHITESPACE. We then call parse_size with NULL. No NULL checks occur
inside, and we eventually crash when trying to dereference null inside of
bsii's stricmp call.
This same pattern also appears in the case of PP_ARG. Thus, we can create a
similar reproducer via crafting a file with %arg instead of %local. Both
reproducers are attached (I have drastically reduced the reproducers to the
minimal crash case I believe).
Sorry about not submitting a patch -- I don't have enough nasm experience to
know what error behavior should happen in this case. (i.e. abort, continue,
etc.)
--
You are receiving this mail because:
You are on the CC list for the bug.
You are watching all bug changes.
More information about the Nasm-bugs
mailing list