Submeter #753166: FascinatedBox lily main branch Heap-based Buffer Overflowinformação

Título	FascinatedBox lily main branch Heap-based Buffer Overflow
Descrição	### Description We discovered a Heap-buffer-overflow vulnerability in the Lily interpreter. The crash occurs in count_transforms when the emitter is performing closure transformation (perform_closure_transform). The ASAN report indicates a READ violation of size 2 (reading a uint16), occurring 68 bytes past a small (16-byte) heap allocation. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: Lily (jcowgar/lily) - Vulnerability Type: CWE-125: Out-of-bounds Read - Function: count_transforms - Location: src/lily_emitter.c:1341 (called by perform_closure_transform at line 1565) - Root Cause Analysis: The function count_transforms likely iterates over bytecode or a list of upvalues/transforms. ``` // src/lily_emitter.c:1341 // Likely reading a uint16 opcode or index uint16_t value = buffer[index]; ``` The ASAN report shows the access is significantly out of bounds (68 bytes after a 16-byte region). This suggests that count_transforms is either iterating way past the end of the bytecode buffer, or it is using an invalid index derived from a corrupted state during the closure analysis phase. The small allocation size (16 bytes) suggests the buffer might have been reallocated or is a small temporary array that wasn't sized correctly for the number of transforms being processed. ### Reproduce 1. Build lily with Release optimization and ASAN enabled. 2. Run with the crashing [file](https://github.com/oneafter/0122/blob/main/i381/repro.lily): ``` ./build/lily repro.lily ``` <details> <summary>ASAN report</summary> ``` ==10063==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000011a4 at pc 0x5605928c903c bp 0x7ffe36d54bb0 sp 0x7ffe36d54ba8 READ of size 2 at 0x5020000011a4 thread T0 #0 0x5605928c903b in count_transforms /src/lily/src/lily_emitter.c:1341:17 #1 0x5605928c903b in perform_closure_transform /src/lily/src/lily_emitter.c:1565:33 #2 0x5605928c903b in finish_block_code /src/lily/src/lily_emitter.c:820:9 #3 0x5605928caa37 in lily_emit_leave_lambda_block /src/lily/src/lily_emitter.c:908:5 #4 0x560592928388 in lily_parser_lambda_eval /src/lily/src/lily_parser.c:3450:5 #5 0x5605928d4cf7 in eval_lambda_to_parse /src/lily/src/lily_emitter.c:3002:31 #6 0x5605928d4cf7 in eval_tree /src/lily/src/lily_emitter.c:4878:9 #7 0x5605928ea49d in eval_call_arg /src/lily/src/lily_emitter.c:4014:5 #8 0x5605928e3e54 in run_call /src/lily/src/lily_emitter.c:4161:13 #9 0x5605928e3e54 in eval_call /src/lily/src/lily_emitter.c:4377:5 #10 0x5605928cfe46 in eval_tree /src/lily/src/lily_emitter.c #11 0x5605928cece6 in lily_eval_expr /src/lily/src/lily_emitter.c:4906:5 #12 0x560592932339 in parser_loop /src/lily/src/lily_parser.c:5950:17 #13 0x560592930be9 in lily_parse_content /src/lily/src/lily_parser.c:6562:9 #14 0x5605928a137e in main /src/lily/run/lily.c:103:18 #15 0x7fd6958491c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #16 0x7fd69584928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #17 0x5605927bf624 in _start (/src/lily/build_afl/lily+0x4f624) (BuildId: ec5f784cf13dad836217a07e33a2c98d8b7f8bb4) 0x5020000011a4 is located 68 bytes after 16-byte region [0x502000001150,0x502000001160) allocated by thread T0 here: #0 0x56059285f870 in realloc (/src/lily/build_afl/lily+0xef870) (BuildId: ec5f784cf13dad836217a07e33a2c98d8b7f8bb4) #1 0x5605928a35e5 in lily_realloc /src/lily/src/lily_alloc.c:14:20 #2 0x5605928b3a54 in lily_u16_write_2 /src/lily/src/lily_buffer_u16.c:31:19 #3 0x5605928c6e53 in perform_closure_transform /src/lily/src/lily_emitter.c:1458:5 #4 0x5605928c6e53 in finish_block_code /src/lily/src/lily_emitter.c:820:9 #5 0x5605928caa37 in lily_emit_leave_lambda_block /src/lily/src/lily_emitter.c:908:5 #6 0x560592928388 in lily_parser_lambda_eval /src/lily/src/lily_parser.c:3450:5 #7 0x5605928d4cf7 in eval_lambda_to_parse /src/lily/src/lily_emitter.c:3002:31 #8 0x5605928d4cf7 in eval_tree /src/lily/src/lily_emitter.c:4878:9 #9 0x5605928ea49d in eval_call_arg /src/lily/src/lily_emitter.c:4014:5 #10 0x5605928e3e54 in run_call /src/lily/src/lily_emitter.c:4161:13 #11 0x5605928e3e54 in eval_call /src/lily/src/lily_emitter.c:4377:5 #12 0x5605928cfe46 in eval_tree /src/lily/src/lily_emitter.c #13 0x5605928cece6 in lily_eval_expr /src/lily/src/lily_emitter.c:4906:5 #14 0x560592932339 in parser_loop /src/lily/src/lily_parser.c:5950:17 #15 0x560592930be9 in lily_parse_content /src/lily/src/lily_parser.c:6562:9 #16 0x5605928a137e in main /src/lily/run/lily.c:103:18 #17 0x7fd6958491c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #18 0x7fd69584928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #19 0x5605927bf624 in _start (/src/lily/build_afl/lily+0x4f624) (BuildId: ec5f784cf13dad836217a07e33a2c98d8b7f8bb4) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/lily/src/lily_emitter.c:1341:17 in count_transforms Shadow bytes around the buggy address: 0x502000000f00: fa fa 00 03 fa fa 00 fa fa fa 00 03 fa fa 00 00 0x502000000f80: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 01 0x502000001000: fa fa 00 01 fa fa 00 00 fa fa 02 fa fa fa 05 fa 0x502000001080: fa fa 00 02 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x502000001100: fa fa fd fd fa fa 00 02 fa fa 00 00 fa fa fa fa =>0x502000001180: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa 0x502000001200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000001280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000001300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000001380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x502000001400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==10063==ABORTING ``` </details>
Fonte	⚠️ https://github.com/FascinatedBox/lily/issues/381
Utilizador	Oneafter (UID 92781)
Submissão	06/02/2026 04h34 (há 4 meses)
Moderação	18/02/2026 08h31 (12 days later)
Estado	Aceite
Entrada VulDB	346460 [FascinatedBox lily até 2.3 src/lily_emitter.c count_transforms Divulgação de Informação]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Might our Artificial Intelligence support you?

Check our Alexa App!