Created attachment 411851 [details] the POC file. Hi, developers of NASM: I tested the binary ndisasm with my fuzzer, and a crash incurred, i.e., Stack-buffer-overflow error. The version of NASM is the latest (the newest master branch in github (https://github.com/netwide-assembler/nasm.git), version: NASM version 2.16rc0 compiled on Sep 20 2022) and the operation system is Ubuntu 18.04.6 LTS (docker). The following is the details. root@1312a373d471:/fuzz-nasm/ndisasm# ./ndisasm ../out/crashes/id\:000001\,sig\:06\,src\:000003\,op\:havoc\,rep\:128\,354194 00000000 46 inc si 00000001 53 push bx 00000002 48 dec ax 00000003 B80011 mov ax,0x1100 00000006 FB sti 00000007 FA cli 00000008 0000 add [bx+si],al 0000000A 000A add [bp+si],cl 0000000C 1000 adc [bx+si],al 0000000E 53 push bx 0000000F 1F pop ds 00000010 FF db 0xff 00000011 7F06 jg 0x19 00000013 8B19 mov bx,[bx+di] 00000015 CB retf 00000016 76F7 jna 0xf 00000018 76B2 jna 0xffcc 0000001A 93 xchg ax,bx 0000001B C9 leave 0000001C E0EB loopne 0x9 0000001E DE db 0xde 0000001F DE db 0xde 00000020 DE db 0xde 00000021 DE db 0xde 00000022 DEC0 faddp st0 00000024 DE db 0xde 00000025 DE db 0xde 00000026 DE db 0xde 00000027 DE db 0xde 00000028 DE db 0xde 00000029 DE db 0xde 0000002A DE db 0xde 0000002B DE db 0xde 0000002C DE db 0xde 0000002D DE db 0xde 0000002E DE db 0xde 0000002F DE db 0xde 00000030 DE db 0xde 00000031 DE db 0xde 00000032 DE db 0xde 00000033 DE db 0xde 00000034 DE db 0xde 00000035 DE db 0xde 00000036 DE db 0xde 00000037 DE db 0xde 00000038 DE db 0xde 00000039 DE db 0xde 0000003A DE db 0xde 0000003B DE4B53 fimul word [bp+di+0x53] 0000003E 6D insw 0000003F 02611F add ah,[bx+di+0x1f] 00000042 5F pop di 00000043 0009 add [bx+di],cl 00000045 00940000 add [si+0x0],dl 00000049 FB sti 0000004A FB sti 0000004B FB sti 0000004C FB sti 0000004D FB sti 0000004E FB sti 0000004F 0031 add [bx+di],dh 00000051 53 push bx 00000052 47 inc di 00000053 E25F loop 0xb4 00000055 DE db 0xde 00000056 DE db 0xde 00000057 DE db 0xde 00000058 DE db 0xde 00000059 DE db 0xde 0000005A DE db 0xde 0000005B DE db 0xde 0000005C DE db 0xde 0000005D DE db 0xde 0000005E DE4B53 fimul word [bp+di+0x53] 00000061 6D insw 00000062 02611F add ah,[bx+di+0x1f] 00000065 5F pop di 00000066 0009 add [bx+di],cl 00000068 00940000 add [si+0x0],dl 0000006C FB sti 0000006D FB sti 0000006E FB sti 0000006F FB sti 00000070 FB sti 00000071 FB sti 00000072 0031 add [bx+di],dh 00000074 53 push bx 00000075 0015 add [di],dl 00000077 00D8 add al,bl 00000079 64007F03 add [fs:bx+0x3],bh 0000007D CB retf 0000007E 10 db 0x10 ================================================================= ==837963==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe8026e8a0 at pc 0x0000004286f6 bp 0x7ffe8026bc90 sp 0x7ffe8026bc88 READ of size 1 at 0x7ffe8026e8a0 thread T0 #0 0x4286f5 in matches (/fuzz-nasm/ndisasm/ndisasm+0x4286f5) #1 0x41cf50 in disasm (/fuzz-nasm/ndisasm/ndisasm+0x41cf50) #2 0x40c89c in main (/fuzz-nasm/ndisasm/ndisasm+0x40c89c) #3 0x7efc81801c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #4 0x406759 in _start (/fuzz-nasm/ndisasm/ndisasm+0x406759) Address 0x7ffe8026e8a0 is located in stack of thread T0 at offset 96 in frame #0 0x406a8f in main (/fuzz-nasm/ndisasm/ndisasm+0x406a8f) This frame has 6 object(s): [32, 96) 'buffer' <== Memory access at offset 96 overflows this variable [128, 136) 'ep' [160, 416) 'outbuf' [480, 484) 'synclen' [496, 516) 'prefer' [560, 561) 'rn_error' HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow (/fuzz-nasm/ndisasm/ndisasm+0x4286f5) in matches Shadow bytes around the buggy address: 0x100050045cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100050045cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100050045ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100050045cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100050045d00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 =>0x100050045d10: 00 00 00 00[f2]f2 f2 f2 00 f2 f2 f2 00 00 00 00 0x100050045d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100050045d30: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 0x100050045d40: f2 f2 f2 f2 04 f2 00 00 04 f2 f2 f2 f2 f2 01 f3 0x100050045d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100050045d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==837963==ABORTING I uploaded the POC in the attachment. Thank you for your time! Credit Xudong Cao (NCNIPC of China) Han Zheng (NCNIPC of China, Hexhive)