[Nasm-bugs] [Bug 3392750] New: Heap Buffer Overflow in expand_mmacro

[noreply-nasm at dev.nasm.us]

https://bugzilla.nasm.us/show_bug.cgi?id=3392750

            Bug ID: 3392750
           Summary: Heap Buffer Overflow in expand_mmacro
           Product: NASM
           Version: 2.16 (development)
          Hardware: PC
                OS: Linux
            Status: OPEN
          Severity: normal
          Priority: Medium
         Component: Assembler
          Assignee: nobody at nasm.us
          Reporter: mvanotti at protonmail.com
                CC: chang.seok.bae at intel.com, gorcunov at gmail.com,
                    hpa at zytor.com, nasm-bugs at nasm.us
     Obtained from: Built from git using configure

Reproducer:

```
%macro x 1+k
%endmacro

x a,
```

This file triggers an invalid read and write after the paramlen array.

```
$ valgrind ./nasm -felf64 -g -FDWARF -o /tmp/asd repro
==3083202== Memcheck, a memory error detector
==3083202== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3083202== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==3083202== Command: ./nasm -felf64 -g -FDWARF -o /tmp/asd repro
==3083202== 
==3083202== Invalid read of size 4
==3083202==    at 0x426E71: expand_mmacro (preproc.c:6633)
==3083202==    by 0x41B902: pp_tokline (preproc.c:7316)
==3083202==    by 0x41AF04: pp_getline (preproc.c:7328)
==3083202==    by 0x403CD4: assemble_file (nasm.c:1722)
==3083202==    by 0x402F9C: main (nasm.c:717)
==3083202==  Address 0x4af91b8 is 0 bytes after a block of size 8 alloc'd
==3083202==    at 0x483DD99: calloc (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3083202==    by 0x407ADC: nasm_calloc (alloc.c:72)
==3083202==    by 0x426C93: expand_mmacro (preproc.c:6588)
==3083202==    by 0x41B902: pp_tokline (preproc.c:7316)
==3083202==    by 0x41AF04: pp_getline (preproc.c:7328)
==3083202==    by 0x403CD4: assemble_file (nasm.c:1722)
==3083202==    by 0x402F9C: main (nasm.c:717)
==3083202== 
==3083202== Invalid write of size 4
==3083202==    at 0x426E74: expand_mmacro (preproc.c:6633)
==3083202==    by 0x41B902: pp_tokline (preproc.c:7316)
==3083202==    by 0x41AF04: pp_getline (preproc.c:7328)
==3083202==    by 0x403CD4: assemble_file (nasm.c:1722)
==3083202==    by 0x402F9C: main (nasm.c:717)
==3083202==  Address 0x4af91b8 is 0 bytes after a block of size 8 alloc'd
==3083202==    at 0x483DD99: calloc (in
/usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3083202==    by 0x407ADC: nasm_calloc (alloc.c:72)
==3083202==    by 0x426C93: expand_mmacro (preproc.c:6588)
==3083202==    by 0x41B902: pp_tokline (preproc.c:7316)
==3083202==    by 0x41AF04: pp_getline (preproc.c:7328)
==3083202==    by 0x403CD4: assemble_file (nasm.c:1722)
==3083202==    by 0x402F9C: main (nasm.c:717)
==3083202== 
repro:4: warning: dropping trailing empty parameter in call to multi-line macro
`x' [-w+macro-params-legacy]
==3083202== 
==3083202== HEAP SUMMARY:
==3083202==     in use at exit: 4,480 bytes in 12 blocks
==3083202==   total heap usage: 3,806 allocs, 3,794 frees, 851,774 bytes
allocated
==3083202== 
==3083202== LEAK SUMMARY:
==3083202==    definitely lost: 4,141 bytes in 6 blocks
==3083202==    indirectly lost: 0 bytes in 0 blocks
==3083202==      possibly lost: 0 bytes in 0 blocks
==3083202==    still reachable: 339 bytes in 6 blocks
==3083202==         suppressed: 0 bytes in 0 blocks
==3083202== Rerun with --leak-check=full to see details of leaked memory
==3083202== 
==3083202== For lists of detected and suppressed errors, rerun with: -s
==3083202== ERROR SUMMARY: 8 errors from 2 contexts (suppressed: 0 from 0)
```

-- 
You are receiving this mail because:
You are watching all bug changes.
You are on the CC list for the bug.