3392501 – stack buffer overflow in disasm/disasm.c, line 571

Self-registration is disabled due to spam issue (mail gorcunov@gmail.com or hpa@zytor.com to create an account)

Bug 3392501 - stack buffer overflow in disasm/disasm.c, line 571

Summary: stack buffer overflow in disasm/disasm.c, line 571

Status:	OPEN

Alias:	None

Product:	NASM
Classification:	Unclassified
Component:	Disassembler (show other bugs)
Version:	2.14.xx
Hardware:	All All

Importance:	Medium normal
Assignee:	nobody

URL:

Depends on:
Blocks:

Reported:	2018-07-25 02:20 PDT by bugs
Modified:	2022-03-27 16:52 PDT (History)
CC List:	4 users (show)

Obtained from:	Built from git using configure
Generated by:	---
Bug category:
Breaks existing code:	---

Attachments
file which causes overflow (95 bytes, text/plain) 2018-07-25 02:20 PDT, bugs	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description bugs 2018-07-25 02:20:17 PDT

Created attachment 411656 [details]
file which causes overflow

Hi, when fuzzing the disassembler with honggfuzz, I discovered a stack buffer overflow in disasm.c, on line 571. Following is a detailed backtrace as supplied by the address sanitizer:
=================================================================
==640==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcc6090bc0 at pc 0x5596a2d6cffd bp 0x7ffcc60902f0 sp 0x7ffcc60902e8
READ of size 2 at 0x7ffcc6090bc0 thread T0
    #0 0x5596a2d6cffc in matches disasm/disasm.c:571
    #1 0x5596a2d6cffc in disasm disasm/disasm.c:1303
    #2 0x5596a2d52e54 in main disasm/ndisasm.c:319
    #3 0x7f67f86bca86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #4 0x5596a2d55209 in _start (/home/jfe/nasm/ndisasm+0xb9209)

Address 0x7ffcc6090bc0 is located in stack of thread T0 at offset 352 in frame
    #0 0x5596a2d5156f in main disasm/ndisasm.c:81

  This frame has 6 object(s):
    [32, 33) 'rn_error'
    [96, 100) 'synclen'
    [160, 168) 'ep'
    [224, 240) 'prefer'
    [288, 352) 'buffer' <== Memory access at offset 352 overflows this variable
    [384, 640) 'outbuf'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow disasm/disasm.c:571 in matches
Shadow bytes around the buggy address:
  0x100018c0a120: 00 00 00 00 00 00 f2 f2 f3 f3 f3 f3 00 00 00 00
  0x100018c0a130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100018c0a140: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x100018c0a150: 01 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2
  0x100018c0a160: 00 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 f2 f2 f2 f2
=>0x100018c0a170: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
  0x100018c0a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100018c0a190: 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
  0x100018c0a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100018c0a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100018c0a1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==640==ABORTING

This bug can be reproduced by running "ndisasm /dev/stdin < min" where min is the attached file. However it is only visible when ndisasm is compiled with the address sanitizer.