Submit #719823: floooh sokol e0832c9 Stack-based Buffer Overflowinfo

Titlefloooh sokol e0832c9 Stack-based Buffer Overflow
Description### Description We found a Stack Buffer Underflow in sokol_gfx. This is distinct from the previous SEGV and Stack Overflow issues. The crash occurs within _sg_pipeline_desc_defaults. The ASAN report indicates a READ of size 4 that underflows a stack-allocated array (auto_offset). This typically happens when an array index variable becomes negative (e.g., -1), causing the code to read memory immediately preceding the auto_offset array on the stack. Vendor confirmed and fixed this vulnerability in commit (5d11344)[https://github.com/floooh/sokol/commit/5d11344150973f15e16d3ec4ee7550a73fb995e0]. ### Environment - OS: Linux x86_64 - Complier: Clang with -fsanitize=address - Tools: AddressSanitizer - Affected Version: `master branch` ### Vulnerability Details - Target: sokol (sokol_gfx.h) - Crash Type: Stack-buffer-underflow (Read) - Location: sokol_gfx.h:24084 (in _sg_pipeline_desc_defaults) - Function: _sg_pipeline_desc_defaults - Root Cause Analysis: The stack trace shows: sg_make_pipeline -> _sg_pipeline_desc_defaults. A local array auto_offset is allocated on the stack (frame offset 32). ASan detects an access at offset 28 (4 bytes before the start). This suggests that _sg_pipeline_desc_defaults is using an index variable to access auto_offset[index], and due to a logic error, this index becomes -1. ### Reproduce 1. Compile the sokol test [harness](https://github.com/oneafter/1212/blob/main/harness.c) with AddressSanitizer enabled (-fsanitize=address -g) 2. Run the fuzzer harness with the attached [repro](https://github.com/oneafter/1212/blob/main/stack2) input: ``` ./harness repro ``` ASAN report ``` ==20102==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7f1f57b0001c at pc 0x55eb342777f6 bp 0x7ffec3f912b0 sp 0x7ffec3f912a8 READ of size 4 at 0x7f1f57b0001c thread T0 #0 0x55eb342777f5 in _sg_pipeline_desc_defaults /src/sokol/./sokol_gfx.h:24084:44 #1 0x55eb34271c25 in sg_make_pipeline /src/sokol/./sokol_gfx.h:25146:33 #2 0x55eb34287497 in fuzz_input /src/sokol/harness_gfx_traditional.c:129:31 #3 0x55eb3428b4b5 in main /src/sokol/harness_gfx_traditional.c:206:9 #4 0x7f1f59aca1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #5 0x7f1f59aca28a in __libc_start_main csu/../csu/libc-start.c:360:3 #6 0x55eb34175a64 in _start (/src/sokol/harness_gfx_traditional_fuzzer+0x8ba64) (BuildId: 756621c3a83311878fe2c1bf2919da032f4ab964) Address 0x7f1f57b0001c is located in stack of thread T0 at offset 28 in frame #0 0x55eb3427228f in _sg_pipeline_desc_defaults /src/sokol/./sokol_gfx.h:24002 This frame has 1 object(s): [32, 64) 'auto_offset' (line 24066) <== Memory access at offset 28 underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow /src/sokol/./sokol_gfx.h:24084:44 in _sg_pipeline_desc_defaults Shadow bytes around the buggy address: 0x7f1f57affd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f1f57affe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f1f57affe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f1f57afff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f1f57afff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7f1f57b00000: f1 f1 f1[f1]00 00 00 00 f3 f3 f3 f3 00 00 00 00 0x7f1f57b00080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f1f57b00100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f1f57b00180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f1f57b00200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f1f57b00280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==20102==ABORTING ```
Source⚠️ https://github.com/floooh/sokol/issues/1405
User
 Oneafter (UID 92781)
Submission12/19/2025 10:43 AM (2 months ago)
Moderation12/27/2025 05:51 PM (8 days later)
StatusAccepted
VulDB entry338533 [floooh sokol up to 16cbcc864012898793cd2bc57f802499a264ea40 sokol_gfx.h _sg_pipeline_desc_defaults stack-based overflow]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!