Closed Wohlstand closed 7 years ago
Original comment by Michael Pyne (Bitbucket: mpyne, GitHub: mpyne).
This seems to be due to the pc
register using a "fast" integer type instead of a fixed-width type. If pc
could be forced to the right value then maybe it could be possible for pc
itself to be treated as a negative number whose lower 16 bits happens to have the exact magnitude if treated as positive.
This would cause the instr += PAGE_OFFSET( pc )
line to cause instr
to equal 0, which is then dereferenced --> BOOM.
Commit 9728bf777a048fd9181bbe173da8fed5eae0ab99 changed the fast integer types to use fixed-width types. I can't reproduce the crash here with the latest master so I think it's already fixed, though I would appreciate someone else testing to ensure it's not just a local fix.
Original comment by Hanno Böck (Bitbucket: [Hanno Böck](https://bitbucket.org/Hanno Böck), ).
Can confirm that this is fixed. I'm now re-testing with the git master branch to see if I find further bugs.
Original comment by Hanno Böck (Bitbucket: [Hanno Böck](https://bitbucket.org/Hanno Böck), ).
already fixed by previous change in git
Original report by Hanno Böck (Bitbucket: [Hanno Böck](https://bitbucket.org/Hanno Böck), ).
The attached file crashes game-music-emu with a null pointer access.
This was found with the fuzzing tool american fuzzy lop.
Here's a stack trace from address sanitizer: