ragg2 crash on long valid input.

[mmmdzz]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu x86 64
File format of the file you reverse (mandatory)	ELF
Architecture/bits of the file (mandatory)	x86/64
r2 -v full output, not truncated (mandatory)	radare2 3.6.0-git 21923 @ linux-x86-64 git.3.5.1-149-g573f2caa3 commit: 573f2ca build: 2019-06-02__15:06:21

Expected behavior

$ ragg2 -a x86 -b 64 hello.r
$ <output asmcode>

Actual behavior

$ ragg2 -a x86 -b 64 hello.r
$ Segmentation fault (core dumped)

Steps to reproduce the behavior

Unzip hello.zip and you will get hello.r

Additional Logs, screenshots, source-code, configuration dump, ...

After checking the source code, the vulnerability is caused by lacking boundary checking for "egg->lang.elem_n++", resulting a heap buffer overflow. It could be fixed quickly by adding associated checking.

[mmmdzz]

More output from valgrind:

--28891-- REDIR: 0x5183db0 (libc.so.6:__strstr_sse2_unaligned) redirected to 0x4c376e0 (strstr)
--28891-- REDIR: 0x5167590 (libc.so.6:__GI_strstr) redirected to 0x4c37760 (__strstr_sse2)
--28891-- REDIR: 0x524e510 (libc.so.6:__strncmp_sse42) redirected to 0x4c33570 (__strncmp_sse42)
==28891== Invalid read of size 1
==28891==    at 0x8A97D89: skipspaces (egg_lang.c:16)
==28891==    by 0x8A995FC: r_egg_mkvar (egg_lang.c:531)
==28891==    by 0x8A9B9FD: rcc_next (egg_lang.c:1134)
==28891==    by 0x8A9C38C: r_egg_lang_parsechar (egg_lang.c:1304)
==28891==    by 0x8A97376: r_egg_compile (egg.c:345)
==28891==    by 0x4E4B1FD: r_main_ragg2 (ragg2.c:399)
==28891==    by 0x108739: main (ragg2.c:6)
==28891==  Address 0x4141414141414141 is not stack'd, malloc'd or (recently) free'd
==28891== 
==28891== 
==28891== Process terminating with default action of signal 11 (SIGSEGV)
==28891==  General Protection Fault
==28891==    at 0x8A97D89: skipspaces (egg_lang.c:16)
==28891==    by 0x8A995FC: r_egg_mkvar (egg_lang.c:531)
==28891==    by 0x8A9B9FD: rcc_next (egg_lang.c:1134)
==28891==    by 0x8A9C38C: r_egg_lang_parsechar (egg_lang.c:1304)
==28891==    by 0x8A97376: r_egg_compile (egg.c:345)
==28891==    by 0x4E4B1FD: r_main_ragg2 (ragg2.c:399)
==28891==    by 0x108739: main (ragg2.c:6)
==28891== 
==28891== HEAP SUMMARY:
==28891==     in use at exit: 62,805 bytes in 216 blocks
==28891==   total heap usage: 952 allocs, 736 frees, 119,960 bytes allocated
==28891== 
==28891== Searching for pointers to 216 not-freed blocks
==28891== Checked 5,563,432 bytes
==28891== 
==28891== LEAK SUMMARY:
==28891==    definitely lost: 0 bytes in 0 blocks
==28891==    indirectly lost: 0 bytes in 0 blocks
==28891==      possibly lost: 0 bytes in 0 blocks
==28891==    still reachable: 62,805 bytes in 216 blocks
==28891==         suppressed: 0 bytes in 0 blocks
==28891== Rerun with --leak-check=full to see details of leaked memory
==28891== 
==28891== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==28891== 
==28891== 1 errors in context 1 of 1:
==28891== Invalid read of size 1
==28891==    at 0x8A97D89: skipspaces (egg_lang.c:16)
==28891==    by 0x8A995FC: r_egg_mkvar (egg_lang.c:531)
==28891==    by 0x8A9B9FD: rcc_next (egg_lang.c:1134)
==28891==    by 0x8A9C38C: r_egg_lang_parsechar (egg_lang.c:1304)
==28891==    by 0x8A97376: r_egg_compile (egg.c:345)
==28891==    by 0x4E4B1FD: r_main_ragg2 (ragg2.c:399)
==28891==    by 0x108739: main (ragg2.c:6)
==28891==  Address 0x4141414141414141 is not stack'd, malloc'd or (recently) free'd
==28891== 
==28891== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[1]    28891 segmentation fault (core dumped) 

[lowlyw]

the bug is we write into the elem

egg->lang.elem[egg->lang.elem_n++] = c;

without checking elem_n. i'd say that elem should probably be an RBuffer