Version 0cf4a55
Stack buffer over found in parse.c in function get_key().
The root cause maybe is in function c_set_k_acc(), the array accs and pits size is 8.
If s->u.key.sf bigger than 7 , then the array accs and pits will access out of index and corrupt the stack, if the value of s->u.key.sf is more bigger, then the stack frame will be corrupted.
static void set_k_acc(struct SYMBOL *s)
{
int i, j, nacc;
char accs[8], pits[8];
...
if (s->u.key.sf > 0) {
for (nacc = 0; nacc < s->u.key.sf; nacc++) {
accs[nacc] = A_SH;
pits[nacc] = sharp_tb[nacc];
}
}
Version 0cf4a55 Stack buffer over found in parse.c in function get_key().
The root cause maybe is in function c_set_k_acc(), the array
accs
andpits
size is 8. Ifs->u.key.sf
bigger than 7 , then the arrayaccs
andpits
will access out of index and corrupt the stack, if the value ofs->u.key.sf
is more bigger, then the stack frame will be corrupted.gdb
reproduce :
abcm2ps -E poc
buffer-over-flow_parse.c_set_k_acc.zip
reporter : chiba of topsec alphalab