Created attachment 411752 [details] PoC to trigger the Segmentation fault This stackoverflow was discovered in asm/eval.c when we were fuzzing nasm (releasebuilds 2.14.02). (gdb) file nasm Reading symbols from nasm...done. (gdb) run -felf ./input/seed1 Starting program: /home/lbb/afl-experient/Tests/ASAN/nasm-2.14.02/nasm -felf ./input/seed1 Program received signal SIGSEGV, Segmentation fault. expr2 (critical=critical@entry=0) at asm/eval.c:482 482 e = expr3(critical); (gdb) info stack #0 expr2 (critical=critical@entry=0) at asm/eval.c:482 #1 0x0000000000422941 in expr1 (critical=critical@entry=0) at asm/eval.c:456 #2 0x0000000000422cc1 in expr0 (critical=0) at asm/eval.c:430 #3 0x0000000000420233 in expr6 (critical=critical@entry=0) at asm/eval.c:857 #4 0x0000000000421139 in expr5 (critical=critical@entry=0) at asm/eval.c:567 #5 0x000000000042201c in expr4 (critical=critical@entry=0) at asm/eval.c:542 #6 0x0000000000422101 in expr3 (critical=critical@entry=0) at asm/eval.c:508 #7 0x00000000004225c1 in expr2 (critical=critical@entry=0) at asm/eval.c:482 #8 0x0000000000422941 in expr1 (critical=critical@entry=0) at asm/eval.c:456 #9 0x0000000000422cc1 in expr0 (critical=0) at asm/eval.c:430 ... In addtion, we use Address Sanitizer print the stack information. ASAN dumps the stack trace as follows: @root ./nasm -felf ./input/seed1 ASAN:SIGSEGV ================================================================= ==25297==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd73117f78 (pc 0x000000453306 bp 0x0fffae622ff2 sp 0x7ffd73117f70 T0) #0 0x453305 in stdscan asm/stdscan.c:130 #1 0x44c993 in expr6 asm/eval.c:856 #2 0x44e39e in expr5 asm/eval.c:567 #3 0x44fa8a in expr4 asm/eval.c:542 #4 0x44fbd0 in expr3 asm/eval.c:508 #5 0x45027a in expr2 asm/eval.c:482 #6 0x45072a in expr1 asm/eval.c:456 #7 0x450bda in expr0 asm/eval.c:430 #8 0x44c9a2 in expr6 asm/eval.c:857 #9 0x44e39e in expr5 asm/eval.c:567 #10 0x44fa8a in expr4 asm/eval.c:542 #11 0x44fbd0 in expr3 asm/eval.c:508 #12 0x45027a in expr2 asm/eval.c:482 #13 0x45072a in expr1 asm/eval.c:456 #14 0x450bda in expr0 asm/eval.c:430 #15 0x44c9a2 in expr6 asm/eval.c:857 #16 0x44e39e in expr5 asm/eval.c:567 ... #249 0x44fbd0 in expr3 asm/eval.c:508 #250 0x45027a in expr2 asm/eval.c:482 #251 0x45072a in expr1 asm/eval.c:456 SUMMARY: AddressSanitizer: stack-overflow asm/stdscan.c:130 stdscan ==25297==ABORTING