NASM 2.10.07 through 2.13.03, and potentially earlier, contains a denial of service vulnerability that can result in a segmentation fault due to the program incorrectly dereferencing an invalid address. This attack is exploitable via a specially crafted asm file. Upstream bug: https://bugzilla.nasm.us/show_bug.cgi?id=3392507 References: https://github.com/cyrillos/nasm/issues/3
Created nasm tracking bugs for this issue: Affects: fedora-all [bug 1626257]
Posted analysis upstream, copying here. In summary, found a new, very similar crash. This appears to be due to the following pattern in preproc.c: ```c tt = tokenize(tline->text); tt = expand_smacro(tt); size = parse_size(tt->text); ``` In this case, expand_smacro errors out. ->text is set to NULL, and -> type is set to TOK_WHITESPACE. We then call parse_size with NULL. No NULL checks occur inside, and we eventually crash when trying to dereference null inside of bsii's stricmp call. This same pattern also appears in the case of PP_ARG. Thus, we can create a similar reproducer via crafting a file with %arg instead of %local. Both reproducers are attached (I have drastically reduced the reproducers to the minimal crash case I believe).