null pointer dereference in function get_signed_expression()
ATasm is a 6502 command-line cross-assembler.
Brought to you by:
schmelze
Menu
▾
▴
1 Attachments
#20 null pointer dereference in function get_signed_expression()
Hi,
While fuzzing ATasm 1.09, I found null pointer dereference in the function get_signed_expression(),in setparse.c
─── source:setparse.c+173 ────
168 char math[]="[]*/+-&|^<>=";
169
170 buf[0]=0;
171 walk=buf;
172 look=str;
// look=0x00007fffffffd210 → 0x0000000000000000
→ 173 while(*look) {
174 if (*look=='*') {
175 if ((walk==buf)||((!ISDIGIT(*(walk-1)))&&(*(walk-1)!=']'))||
176 (*(look+1)=='*')) {
177 snprintf(work,256,"%d",pc);
178 strcpy(walk,work);
─── threads ────
[#0] Id 1, Name: "atasm", stopped 0x555555560d49 in get_signed_expression (), reason: SIGSEGV
───── trace ────
[#0] 0x555555560d49 → get_signed_expression(str=0x0, tp=0x1)
[#1] 0x555555560205 → get_expression(str=0x0, tp=0x1)
[#2] 0x55555555aae0 → proc_sym(sym=0x555555581e80)
[#3] 0x55555555b5fe → do_cmd(buf=0x55555556c500 <buf> "")
[#4] 0x55555555b715 → assemble(fname=0x7fffffffd7c0 "demo2")
[#5] 0x55555555cc56 → main(argc=0x2, argv=0x7fffffffddc8)
─────────────
reproduce:
atasm null_pointer_dereference_03_setparse_173
