Created attachment 411755 [details] poc Hi, I found a heap-buffer-overflow in hash_findi at hashtbl.c:157 It is triggered in nasm version 2.15. NASM version 2.15rc0-20191023 compiled on Dec 9 2019 Please run following command $ nasm -o /dev/null -f bin $PoC Here's ASAN log ==28391==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000456 at pc 0x00000049552c bp 0x7fffe7228b50 sp 0x7fffe7228300 READ of size 279 at 0x612000000456 thread T0 #0 0x49552b in __interceptor_strlen.part.30 (/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x49552b) #1 0x9c4906 in hash_findi /home/suhwan/project/program/nasm-2.15rc0-20191023/nasmlib/hashtbl.c:157:35 #2 0x6932c5 in hash_findix /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:1171:9 #3 0x6932c5 in expand_one_smacro /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:4999 #4 0x690e0f in expand_smacro_noreset /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:5474:27 #5 0x5e8c10 in expand_smacro /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:5431:12 #6 0x5e8c10 in pp_tokline /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6415 #7 0x5e8c10 in pp_getline /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6428 #8 0x50a7f9 in assemble_file /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:1630:24 #9 0x50a7f9 in main /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:637 #10 0x7f5cbe6a9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #11 0x41a4a9 in _start (/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x41a4a9) 0x612000000456 is located 0 bytes to the right of 278-byte region [0x612000000340,0x612000000456) allocated by thread T0 here: #0 0x4d8720 in malloc (/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x4d8720) #1 0x526d10 in nasm_malloc /home/suhwan/project/program/nasm-2.15rc0-20191023/nasmlib/alloc.c:55:9 #2 0x5e8c10 in expand_smacro /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:5431:12 #3 0x5e8c10 in pp_tokline /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6415 #4 0x5e8c10 in pp_getline /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/preproc.c:6428 #5 0x50a7f9 in assemble_file /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:1630:24 #6 0x50a7f9 in main /home/suhwan/project/program/nasm-2.15rc0-20191023/asm/nasm.c:637 #7 0x7f5cbe6a9b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/hda2/suhwan/BUG_AFL/ezxml_fuzzing/nasm+0x49552b) in __interceptor_strlen.part.30 Shadow bytes around the buggy address: 0x0c247fff8030: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c247fff8050: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa 0x0c247fff8060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c247fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c247fff8080: 00 00 00 00 00 00 00 00 00 00[06]fa fa fa fa fa 0x0c247fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c247fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28391==ABORTING
Doesn't trigger in nasm-2.15.04rc5-4-g51e23ac7