preproc: fix heap memory overflow CVE-2023-31722

hongjinghao · H. Peter Anvin (Intel) · commit e39b856bdeec · 2025-10-07T14:58:03.000-07:00
paramlen has heap memory of length nparam+1. The value of variable i may be greater than nparam+1, causing heap memory overflow. Therefore, i and nparam+1 needs to be determined in the loop. Fixes: https://bugzilla.nasm.us/show_bug.cgi?id=3392857#c1 Fixes: #83 Signed-off-by: H. Peter Anvin (Intel) <hpa@zytor.com>
diff --git a/asm/preproc.c b/asm/preproc.c
@@ -7245,7 +7245,7 @@ static int expand_mmacro(Token * tline)
      */
     nasm_newn(paramlen, nparam+1);
 
-    for (i = 1; (t = params[i]); i++) {
+    for (i = 1; i < nparam+1 && (t = params[i]); i++) {
         bool braced = false;
         int brace = 0;
         int white = 0;
diff --git a/nasmlib/alloc.c b/nasmlib/alloc.c
@@ -74,8 +74,10 @@ void *nasm_realloc(void *q, size_t size)
 
 void nasm_free(void *q)
 {
-    if (q)
+    if (q){
         free(q);
+	q = NULL;
+    }
 }
 
 char *nasm_strdup(const char *s)

Original file line number	Diff line number	Diff line change
`@@ -74,8 +74,10 @@ void nasm_realloc(void q, size_t size)`
`74`	`74`
`75`	`75`	`void nasm_free(void *q)`
`76`	`76`	`{`
`77`		`- if (q)`
	`77`	`+ if (q){`
`78`	`78`	`free(q);`
	`79`	`+ q = NULL;`
	`80`	`+ }`
`79`	`81`	`}`
`80`	`82`
`81`	`83`	`char nasm_strdup(const char s)`