Gửi #755030: skvadrik re2c 04f1424 NULL Pointer Dereferencethông tin

tiêu đề	skvadrik re2c 04f1424 NULL Pointer Dereference
Mô tả	### Description We discovered a Segmentation Fault in re2c. The crash occurs in re2c::closure_leftmost_dfs when processing a crafted .re file. The ASAN report indicates a SEGV on address 0x000000000018. This suggests a NULL pointer dereference where the code attempts to read a member variable (at offset 0x18) from a NULL pointer during the epsilon closure calculation phase of determinization. Vendor confirmed and fixed this vulnerability in commit [febeb97](hhttps://github.com/skvadrik/re2c/commit/febeb977936f9519a25d9fbd10ff8256358cdb97). ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: re2c - Vulnerability Type: CWE-476: NULL Pointer Dereference - Function: re2c::closure_leftmost_dfs - Location: src/dfa/closure_leftmost.h:27:21 - Caller: re2c::closure_leftmost -> re2c::closure -> re2c::determinization - Root Cause Analysis: The crash happens during the determinization phase, specifically inside tagged_epsilon_closure. The stack trace shows the crash at closure_leftmost.h:27. The address 0x18 implies that a pointer (likely representing an NFA state or a configuration node in the determ_context_t) is NULL, and the code tries to access a field at offset 24 (0x18) relative to that base pointer. ### Reproduce 1. Build re2c with Release optimization and ASAN enabled. 2. Run with the crashing [file](https://github.com/oneafter/0202/blob/main/re/repro): ``` ./build/re2c repro ``` <details> <summary>ASAN report</summary> ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==93328==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x56245cc7999d bp 0x7fb78eecc760 sp 0x7ffc87dae7f0 T0) ==93328==The signal is caused by a READ memory access. ==93328==Hint: address points to the zero page. #0 0x56245cc7999d in void re2c::closure_leftmost_dfs<re2c::determ_context_t<re2c::lhistory_t>>(re2c::determ_context_t<re2c::lhistory_t>&) /src/re2c/./src/dfa/closure_leftmost.h:27:21 #1 0x56245cc7999d in re2c::closure_leftmost(re2c::determ_context_t<re2c::lhistory_t>&) /src/re2c/./src/dfa/closure_leftmost.h:13:5 #2 0x56245cc8742f in void re2c::closure<re2c::determ_context_t<re2c::lhistory_t>>(re2c::determ_context_t<re2c::lhistory_t>&) /src/re2c/src/dfa/closure.cc:75:5 #3 0x56245cc8742f in void re2c::tagged_epsilon_closure<re2c::determ_context_t<re2c::lhistory_t>>(re2c::determ_context_t<re2c::lhistory_t>&) /src/re2c/src/dfa/closure.cc:63:5 #4 0x56245ccbc927 in re2c::Ret re2c::determinization<re2c::determ_context_t<re2c::lhistory_t>>(re2c::determ_context_t<re2c::lhistory_t>&) /src/re2c/src/dfa/determinization.cc:61:5 #5 0x56245ccbc927 in re2c::determinization(re2c::Tnfa&&, re2c::Tdfa&, re2c::opt_t const, re2c::Msg&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>> const&) /src/re2c/src/dfa/determinization.cc:45:16 #6 0x56245cdafdd5 in re2c::ast_to_dfa(re2c::AstGram const&, re2c::Output&, std::vector<std::unique_ptr<re2c::Adfa, std::default_delete<re2c::Adfa>>, std::allocator<std::unique_ptr<re2c::Adfa, std::default_delete<re2c::Adfa>>>>&, re2c::slab_allocator_t<(re2c::AllocatorKind)2, 65536u, 8ul>&) /src/re2c/src/main.cc:79:5 #7 0x56245cdafdd5 in re2c::compile(int, char*) /src/re2c/src/main.cc:188:17 #8 0x56245cdafdd5 in main /src/re2c/src/main.cc:239:12 #9 0x7fb7908131c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #10 0x7fb79081328a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #11 0x56245ca1a7c4 in _start (/src/re2c/build/re2c+0x517c4) (BuildId: 8e82d797d7954ab02bc4f78ecb8cf8be0452fd75) ==93328==Register values: rax = 0x0000000000000003 rbx = 0x0000000000000000 rcx = 0x0000000000000000 rdx = 0x0000502000000280 rdi = 0x0000000000000018 rsi = 0x00007fb78eecc750 rbp = 0x00007fb78eecc760 rsp = 0x00007ffc87dae7f0 r8 = 0x00007fb78eecc758 r9 = 0x00000ac48b9e6bc8 r10 = 0x00000ff6f1dd98eb r11 = 0x00000ff6f1dd98ea r12 = 0x000056245cf35e40 r13 = 0x0000000000000001 r14 = 0x00000a040000004e r15 = 0x0000502000000280 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /src/re2c/./src/dfa/closure_leftmost.h:27:21 in void re2c::closure_leftmost_dfs<re2c::determ_context_t<re2c::lhistory_t>>(re2c::determ_context_t<re2c::lhistory_t>&) ==93328==ABORTING ``` </details>
Nguồn	⚠️ https://github.com/skvadrik/re2c/issues/571
Người dùng	Oneafter (UID 92781)
Đệ trình	10/02/2026 03:06 (cách đây 4 các tháng)
Kiểm duyệt	20/02/2026 21:02 (11 days later)
Trạng thái	được chấp nhận
Mục VulDB	347210 [skvadrik re2c đến 4.4 src/parse/ast.cc check_and_merge_special_rules Từ chối dịch vụ]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!