spasm-ng
spasm-ng copied to clipboard
Published
20 hours ago •
alberthdev
alberthdev
Buffer overflow in SetLastSPASMProblem
afl-fuzz found out that if you used a ridiculously long thing that would trigger an error, the szDescription TCHAR array isn't big enough to contain the string when StringCchVPrintf is called, and it crashes.
I suppose truncating the string first would be acceptable.
Test case: o00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
The long backtrace:
Program received signal SIGABRT, Aborted.
0x00007ffff6df0f77 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff6df0f77 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff6df45e8 in __GI_abort () at abort.c:90
#2 0x00007ffff6e2e4fb in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff6f3ff10 "*** %s ***: %s terminated\n")
at ../sysdeps/unix/sysv/linux/libc_fatal.c:199
#3 0x00007ffff6ecc08c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x7ffff6f3fea7 "buffer overflow detected") at fortify_fail.c:37
#4 0x00007ffff6ecb020 in __GI___chk_fail () at chk_fail.c:28
#5 0x00007ffff6eca4a9 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:33
#6 0x00007ffff6e36a3b in __GI__IO_default_xsputn (f=0x7fffffffc5a0, data=<optimized out>, n=1) at genops.c:481
#7 0x00007ffff6e03f94 in _IO_vfprintf_internal (s=s@entry=0x7fffffffc5a0, format=<optimized out>,
format@entry=0x449dcd "Unknown opcode '%s'", ap=ap@entry=0x7fffffffc8a8) at vfprintf.c:1686
#8 0x00007ffff6eca544 in ___vsprintf_chk (s=s@entry=0x7fffffffc6e0 "Unknown opcode 'o", '0' <repeats 110 times>, flags=flags@entry=1,
slen=slen@entry=128, format=0x449dcd "Unknown opcode '%s'", args=args@entry=0x7fffffffc8a8) at vsprintf_chk.c:84
#9 0x000000000043c8a0 in vsprintf (__ap=0x7fffffffc8a8, __fmt=<optimized out>,
__s=0x7fffffffc6e0 "Unknown opcode 'o", '0' <repeats 110 times>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:47
#10 SetLastSPASMProblem(DWORD, bool, typedef __va_list_tag __va_list_tag *) (dwErrorCode=dwErrorCode@entry=275,
fIsWarning=fIsWarning@entry=false, valist=valist@entry=0x7fffffffc8a8) at errors.cpp:338
#11 0x0000000000440654 in SetLastSPASMProblem (valist=0x7fffffffc8a8, fIsWarning=false, dwErrorCode=275) at errors.cpp:318
#12 SetLastSPASMError (dwErrorCode=dwErrorCode@entry=275) at errors.cpp:382
#13 0x0000000000409f9d in handle_opcode_or_macro (ptr=0x667500 "") at pass_one.cpp:520
#14 0x000000000040b915 in run_first_pass_line_sec (ptr=0x667491 "o", '0' <repeats 110 times>) at pass_one.cpp:228
#15 run_first_pass_line (ptr=<optimized out>) at pass_one.cpp:170
#16 run_first_pass (ptr=<optimized out>) at pass_one.cpp:141
#17 0x0000000000403a5d in run_assembly () at main.cpp:117
#18 0x000000000040261f in main (argc=4, argv=0x7fffffffdea8) at main.cpp:431
