Fix CVE-2023-31722

paramlen has heap memory of length nparam+1. The value of variable i may be greater than nparam+1, causing heap memory overflow. Therefore, i and nparam+1 needs to be determined in the loop. fix:https://bugzilla.nasm.us/show_bug.cgi?id=3392857#c1
netwide-assembler · Sep 5, 2023 · 6ed6343 · 6ed6343
1 parent a916e41
commit 6ed6343
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/asm/preproc.c b/asm/preproc.c
@@ -6817,7 +6817,7 @@ static int expand_mmacro(Token * tline)
      */
     nasm_newn(paramlen, nparam+1);
 
-    for (i = 1; (t = params[i]); i++) {
+    for (i = 1; i < nparam+1 && (t = params[i]); i++) {
         bool braced = false;
         int brace = 0;
         int white = 0;