[Nasm-bugs] [Bug 3392566] New: OOB write in nasm_quote
noreply-nasm at gorcunov.org
noreply-nasm at gorcunov.org
Fri Apr 19 00:01:45 PDT 2019
https://bugzilla.nasm.us/show_bug.cgi?id=3392566
Bug ID: 3392566
Summary: OOB write in nasm_quote
Product: NASM
Version: 2.15 (development)
Hardware: All
OS: All
Status: OPEN
Severity: normal
Priority: Medium
Component: Assembler
Assignee: nobody at nasm.us
Reporter: deian at cs.ucsd.edu
CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
hpa at zytor.com, nasm-bugs at nasm.us
Obtained from: Unknown
I believe there is an out-of-bounds read in nasm_quote, when called with a huge
length [1]:
char *nasm_quote(const char *str, size_t len)
{
...
nstr = nasm_malloc(len+3); // overflow, thus create
small buffer
nstr[0] = nstr[len+1] = sq_ok ? '\'' : '\"';
nstr[len+2] = '\0';
if (len > 0)
memcpy(nstr+1, str, len); // copy huge amounts of
data
...
Apologies if this turns out to not be a concern.
[1] https://repo.or.cz/nasm.git/blob/HEAD:/asm/quote.c#l106
--
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.
More information about the Nasm-bugs
mailing list