| Title | FascinatedBox lily main-branch NULL Pointer Dereference |
|---|
| Description | ### Description
We discovered a Segmentation Fault in the Lily interpreter. The crash occurs in eval_tree when the emitter is evaluating a Hash structure (eval_build_hash).
The ASAN report indicates a READ memory access on address 0x000000000008. This strongly suggests a NULL Pointer Dereference where a struct member (at offset 8) is accessed from a NULL pointer.
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Target: Lily (jcowgar/lily)
- Vulnerability Type: CWE-476: NULL Pointer Dereference
- Function: eval_tree
- Location: src/lily_emitter.c:4832 (called by eval_build_hash at line 3739)
- Root Cause Analysis: The call stack shows the crash happens during eval_build_hash, which calls eval_tree.
```
// Example logic in eval_tree
void eval_tree(lily_emit_state *emit, lily_ast *ast) {
// ...
// If 'ast' is NULL here, accessing a member at offset 8 causes SEGV at 0x8
if (ast->expr_type == ...)
}
```
The address 0x8 confirms the base pointer is NULL. This suggests that eval_build_hash is passing a NULL AST node to eval_tree, possibly due to a malformed hash literal in the source code where a key or value expression is missing or invalid.
### Reproduce
1. Build lily with Release optimization and ASAN enabled.
2. Run with the crashing [file](https://github.com/oneafter/0122/blob/main/i384/repro.lily):
```
./build/lily repro.lily
```
<details>
<summary>ASAN report</summary>
```
==14610==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x5557debdce18 bp 0x7ffc70e7f670 sp 0x7ffc70e7f500 T0)
==14610==The signal is caused by a READ memory access.
==14610==Hint: address points to the zero page.
#0 0x5557debdce18 in eval_tree /src/lily/src/lily_emitter.c:4832:14
#1 0x5557debe3b4b in eval_build_hash /src/lily/src/lily_emitter.c:3739:9
#2 0x5557debe3b4b in eval_tree /src/lily/src/lily_emitter.c:4864:9
#3 0x5557debf9120 in eval_assign_global /src/lily/src/lily_emitter.c:2753:5
#4 0x5557debf9120 in eval_assign /src/lily/src/lily_emitter.c:2934:9
#5 0x5557debdceb3 in eval_binary_op /src/lily/src/lily_emitter.c:2635:13
#6 0x5557debdceb3 in eval_tree /src/lily/src/lily_emitter.c:4852:9
#7 0x5557debdcce6 in lily_eval_expr /src/lily/src/lily_emitter.c:4906:5
#8 0x5557dec602bd in keyword_var /src/lily/src/lily_parser.c:3644:9
#9 0x5557dec40efb in parser_loop /src/lily/src/lily_parser.c:5946:17
#10 0x5557dec3ebe9 in lily_parse_content /src/lily/src/lily_parser.c:6562:9
#11 0x5557debaf37e in main /src/lily/run/lily.c:103:18
#12 0x7f07c8aaf1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#13 0x7f07c8aaf28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#14 0x5557deacd624 in _start (/src/lily/build_afl/lily+0x4f624) (BuildId: ec5f784cf13dad836217a07e33a2c98d8b7f8bb4)
==14610==Register values:
rax = 0x0000000000000000 rbx = 0x00007ffc70e7f500 rcx = 0x00005557df6aab20 rdx = 0x000000000000000d
rdi = 0xffffffffffffffff rsi = 0x000000000000000d rbp = 0x00007ffc70e7f670 rsp = 0x00007ffc70e7f500
r8 = 0x0000000000000000 r9 = 0x00007fffffffff01 r10 = 0x0000000000000001 r11 = 0x00005557ded3ed80
r12 = 0x0000000000000008 r13 = 0x000050e000000040 r14 = 0x0000000000000000 r15 = 0x0000000000000001
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/lily/src/lily_emitter.c:4832:14 in eval_tree
==14610==ABORTING
```
</details> |
|---|
| Source | ⚠️ https://github.com/FascinatedBox/lily/issues/384 |
|---|
| User | Oneafter (UID 92781) |
|---|
| Submission | 02/18/2026 14:58 (2 months ago) |
|---|
| Moderation | 02/28/2026 18:04 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 348278 [FascinatedBox lily up to 2.3 src/lily_emitter.c eval_tree null pointer dereference] |
|---|
| Points | 20 |
|---|