$ ./diec ~/test2
=================================================================
==2562952==ERROR: AddressSanitizer: heap-use-after-free on address 0x60600067acd8 at pc 0x564d63edd9a2 bp 0x7ffd0e1bdc80 sp 0x7ffd0e1bdc78
READ of size 1 at 0x60600067acd8 thread T0
#0 0x564d63edd9a1 in XBinary::getFileTypes(bool) /home/kali/Documents/workspace/DIE-engine/Formats/xbinary.cpp:4519
#1 0x564d63ee4149 in XBinary::getFileTypes(QIODevice*, bool) /home/kali/Documents/workspace/DIE-engine/Formats/xbinary.cpp:4677
#2 0x564d640fe544 in XFormats::_getFileTypes(QIODevice*, bool) /home/kali/Documents/workspace/DIE-engine/Formats/xformats.cpp:1200
#3 0x564d640f2fb8 in XFormats::getFileTypes(QIODevice*, bool) /home/kali/Documents/workspace/DIE-engine/Formats/xformats.cpp:720
#4 0x564d6413660e in DiE_Script::process(QIODevice*, QString const&, DiE_Script::SCAN_RESULT*, long long, long long, XBinary::SCANID, DiE_Script::OPTIONS*, bool, XBinary::PDSTRUCT*) /home/kali/Documents/workspace/DIE-engine/die_script/die_script.cpp:604
#5 0x564d64135c09 in DiE_Script::processDevice(QIODevice*, DiE_Script::OPTIONS*, QString const&, XBinary::PDSTRUCT*) /home/kali/Documents/workspace/DIE-engine/die_script/die_script.cpp:571
#6 0x564d64135725 in DiE_Script::processFile(QString const&, DiE_Script::OPTIONS*, QString const&, XBinary::PDSTRUCT*) /home/kali/Documents/workspace/DIE-engine/die_script/die_script.cpp:556
#7 0x564d6413524e in DiE_Script::scanFile(QString const&, DiE_Script::OPTIONS*, XBinary::PDSTRUCT*) /home/kali/Documents/workspace/DIE-engine/die_script/die_script.cpp:540
#8 0x564d641b1ae8 in ScanFiles(QList<QString>*, DiE_Script::OPTIONS*, DiE_Script*) /home/kali/Documents/workspace/DIE-engine/console_source/main_console.cpp:112
#9 0x564d641b6ccf in main /home/kali/Documents/workspace/DIE-engine/console_source/main_console.cpp:320
#10 0x7fb09da456c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#11 0x7fb09da45784 in __libc_start_main_impl ../csu/libc-start.c:360
#12 0x564d63e918e0 in _start (/home/kali/Documents/workspace/DIE-engine/build/release/diec+0x2e48e0) (BuildId: 6f8f5f70f72e1518d367f405f4dc9201757083b8)
Due to my unfamiliarity with C++code, I spent some time studying the memory allocation issue without using 'malloc'. I once thought this was a false positive for ASAN, but later discovered that it was actually a very simple UAF caused by the out of range scope of C++ object references.
There is a UAF vulnerability when DIE enters certain special branches. This vulnerability can be triggered by carefully constructing files.
poc.zip
Due to my unfamiliarity with C++code, I spent some time studying the memory allocation issue without using 'malloc'. I once thought this was a false positive for ASAN, but later discovered that it was actually a very simple UAF caused by the out of range scope of C++ object references.
It seems that the issue existed before commit https://github.com/horsicq/Formats/commit/497d49545b0645ec127aabecc38884c9a93af90d. Fix it is easy, I will create a pull request.