Created attachment 411880 [details] poc file to reproduce the problem Hello. My fuzzer found a heap buffer overflow in nasm-2.16.02rc1(github commit is : b952891, on Feb20,2023). I think this problem may have appeared in an earlier version but it still exists. Please confirm. Thank you. Environment: OS: Ubuntu 20.04.1 gcc:9.4.0 nasm:nasm-2.16.02rc1(github commit is : b952891, on Feb20,2023) I compiled nasm with AddressSanitizer: CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" \ ./configure Command Input: ./nasm -f elf64 nasm-crash -o /tmp/null nasm-crash is attached. Command Output: ASAN result ==2956646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000399c at pc 0x561b944cfc75 bp 0x7ffcd0b7daf0 sp 0x7ffcd0b7dae0 READ of size 4 at 0x60200000399c thread T0 #0 0x561b944cfc74 in expand_mmacro asm/preproc.c:6863 #1 0x561b944d51d7 in pp_tokline asm/preproc.c:7811 #2 0x561b944d5297 in pp_getline asm/preproc.c:7823 #3 0x561b94488160 in assemble_file asm/nasm.c:1719 #4 0x561b944836d4 in main asm/nasm.c:716 #5 0x7fb3c9900082 in __libc_start_main ../csu/libc-start.c:308 #6 0x561b94480ccd in _start (/root/newtarget/nasm-nasm-2.16.02rc1/build_asan/bin/nasm+0x12bccd) 0x60200000399c is located 0 bytes to the right of 12-byte region [0x602000003990,0x60200000399c) allocated by thread T0 here: #0 0x7fb3c9bdba06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153 #1 0x561b9448a44c in nasm_calloc nasmlib/alloc.c:72 #2 0x561b944cf8ec in expand_mmacro asm/preproc.c:6818 #3 0x561b944d51d7 in pp_tokline asm/preproc.c:7811 #4 0x561b944d5297 in pp_getline asm/preproc.c:7823 #5 0x561b94488160 in assemble_file asm/nasm.c:1719 #6 0x561b944836d4 in main asm/nasm.c:716 #7 0x7fb3c9900082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow asm/preproc.c:6863 in expand_mmacro Shadow bytes around the buggy address: 0x0c047fff86e0: fa fa 00 02 fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff86f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8700: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff8710: fa fa fd fa fa fa 02 fa fa fa fd fd fa fa fd fd 0x0c047fff8720: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 02 fa =>0x0c047fff8730: fa fa 00[04]fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2956646==ABORTING
Created attachment 411881 [details] a new poc file that can run nasm without asan and we can analyze it with GDB This is a new poc file that can run nasm without asan and we can analyze it with GDB.If you compile nasm with asan, you will find the two bugs' asan result are similar,but if you compile nasm without asan, only the second poc file can be analyzed with GDB (SIGABRT).