Submit #733329: lief-project LIEF 9698ea6 Memory Corruptioninfo

Title	lief-project LIEF 9698ea6 Memory Corruption
Description	### Desciprtion We encountered a SIGSEGV (Segmentation Fault) in the elf_reader example of LIEF. The crash occurs within LIEF::ELF::GnuHash::original_size() when parsing a malformed ELF binary. The ASAN report indicates a READ memory access at address 0x000000000060, suggesting a Null Pointer Dereference. This happens immediately after the parser fails to read the number of buckets in the GNU Hash section. Vendor confirmed and fixed this vulnerability in commit [8bba616](https://github.com/lief-project/LIEF/commit/8bba61609ff8dfd8046a67497bfa6e2d06f7d8d4). ### Environment - OS: Linux x86_64 - Complier: Clang with -fsanitize=address - Build Configuration: Release - Tools: AddressSanitizer ### Vulnerability Details - Target: LIEF (example elf_reader) - Vulnerability Type: Segmentation Fault (SEGV) on unknown address 0x000000000060 - Location: include/LIEF/ELF/GnuHash.hpp:136 - Function: LIEF::ELF::GnuHash::original_size() const - Root Cause Analysis: The log shows the error message == Parse symbol GNU hash == followed by Can't read the number of buckets. This indicates that Parser::parse_gnu_hash failed to initialize the GNU Hash structure correctly. However, the parser seemingly proceeds to call original_size() on the invalid or null GnuHash object/pointer in Parser::parse_binary. The offset 0x60 corresponds to a member access on a NULL pointer. ### Reproduce ``` ./elf_reader repro ``` Download Link: [repro](https://github.com/oneafter/1210/blob/main/segv1) ASAN report ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==21985==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000060 (pc 0x555c9fe2ad93 bp 0x7ffee63f28f0 sp 0x7ffee63f28e0 T0) ==21985==The signal is caused by a READ memory access. ==21985==Hint: address points to the zero page. #0 0x555c9fe2ad93 in LIEF::ELF::GnuHash::original_size() const /src/repro/LIEF/include/LIEF/ELF/GnuHash.hpp:136 #1 0x555c9fe33145 in LIEF::ok_error_t LIEF::ELF::Parser::parse_binary<LIEF::ELF::details::ELF64>() /src/repro/LIEF/src/ELF/Parser.tcc:132 #2 0x555c9fe23dfa in LIEF::ELF::Parser::init() /src/repro/LIEF/src/ELF/Parser.cpp:349 #3 0x555c9fe24294 in LIEF::ELF::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::ParserConfig const&) /src/repro/LIEF/src/ELF/Parser.cpp:368 #4 0x555c9faf87b8 in main /src/repro/LIEF/examples/cpp/elf_reader.cpp:34 #5 0x7f80fb6b61c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) #6 0x7f80fb6b628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) #7 0x555c9faf8174 in _start (/src/repro/LIEF/build/examples/cpp/elf_reader+0x3fd174) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/repro/LIEF/include/LIEF/ELF/GnuHash.hpp:136 in LIEF::ELF::GnuHash::original_size() const ==21985==ABORTING ```
Source	⚠️ https://github.com/lief-project/LIEF/issues/1277
User	Oneafter (UID 92781)
Submission	01/07/2026 06:57 AM (1 month ago)
Moderation	01/09/2026 10:59 PM (3 days later)
Status	Accepted
VulDB entry	340375 [lief-project LIEF up to 0.17.1 ELF Binary Parser src/ELF/Parser.tcc Parser::parse_binary null pointer dereference]
Points	20

◂ Previous Overview Next ▸

Do you know our Splunk app?

Download it now for free!