提交 #758872: berry-lang berry 7af8289 Buffer Overflow信息

标题	berry-lang berry 7af8289 Buffer Overflow
描述	### Description The crash occurs within the next function in src/be_lexer.c, leading to an invalid read access of size 1. This was triggered while parsing a specific crafted script. Vendor confirmed and fixed this vulnerability in commit [7149c59](https://github.com/berry-lang/berry/commit/7149c59a39ba44feca261b12f06089f265fec176). ### Environment - OS: Linux x86_64 - Complier: Clang - Affected Version: master-branch - Build Configuration: Release mode with ASan enabled. ### Reproduce 1. Build berry with Release optimization and ASAN enabled. 2. Run with the crashing [file](https://github.com/oneafter/0211/blob/main/be/repro): ``` ./berry repro ``` <details> <summary>ASAN report</summary> ``` ==2360358==ERROR: AddressSanitizer: global-buffer-overflow on address 0x583f79f76f21 at pc 0x583f79ef5925 bp 0x7ffd3c8ae450 sp 0x7ffd3c8ae448 READ of size 1 at 0x583f79f76f21 thread T0 #0 0x583f79ef5924 in next /home/cobot001/src/berry/src/be_lexer.c:111:28 #1 0x583f79ef5924 in save /home/cobot001/src/berry/src/be_lexer.c:135:12 #2 0x583f79ef5924 in scan_string /home/cobot001/src/berry/src/be_lexer.c:689:17 #3 0x583f79eedbeb in lexer_next /home/cobot001/src/berry/src/be_lexer.c:824:20 #4 0x583f79eedbeb in be_lexer_scan_next /home/cobot001/src/berry/src/be_lexer.c:888:12 #5 0x583f79f0f9e4 in be_parser_source /home/cobot001/src/berry/src/be_parser.c:1841:5 #6 0x583f79ed7ea3 in m_parser /home/cobot001/src/berry/src/be_exec.c:166:20 #7 0x583f79ed7829 in be_execprotected /home/cobot001/src/berry/src/be_exec.c:122:9 #8 0x583f79ed7a2d in be_protectedparser /home/cobot001/src/berry/src/be_exec.c:183:11 #9 0x583f79ed83f8 in fileparser /home/cobot001/src/berry/src/be_exec.c:228:15 #10 0x583f79ed83f8 in be_loadmode /home/cobot001/src/berry/src/be_exec.c:272:15 #11 0x583f79f56866 in doscript /home/cobot001/src/berry/default/berry.c:214:15 #12 0x583f79f56866 in load_script /home/cobot001/src/berry/default/berry.c:240:15 #13 0x583f79f56866 in analysis_args /home/cobot001/src/berry/default/berry.c:406:12 #14 0x583f79f56866 in main /home/cobot001/src/berry/default/berry.c:414:11 #15 0x7001ec42a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #16 0x7001ec42a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #17 0x583f79dc2624 in _start (/home/cobot001/src/berry/berry+0x48624) (BuildId: 6dbb38575c8b45077e86168ca4c01adc6ef2da49) 0x583f79f76f21 is located 31 bytes before global variable '.str.4' defined in '/home/cobot001/src/berry/src/be_lexer.c:835' (0x583f79f76f40) of size 23 '.str.4' is ascii string 'stray '\%d' in program' 0x583f79f76f21 is located 0 bytes after global variable 'next.eos' defined in '/home/cobot001/src/berry/src/be_lexer.c:106' (0x583f79f76f20) of size 1 'next.eos' is ascii string '' SUMMARY: AddressSanitizer: global-buffer-overflow /home/cobot001/src/berry/src/be_lexer.c:111:28 in next Shadow bytes around the buggy address: 0x583f79f76c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x583f79f76d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x583f79f76d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x583f79f76e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x583f79f76e80: 00 00 00 00 00 02 f9 f9 00 05 f9 f9 03 f9 f9 f9 =>0x583f79f76f00: 03 f9 f9 f9[01]f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 0x583f79f76f80: 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 00 00 02 f9 0x583f79f77000: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 03 0x583f79f77080: f9 f9 f9 f9 00 00 05 f9 f9 f9 f9 f9 00 00 01 f9 0x583f79f77100: f9 f9 f9 f9 00 05 f9 f9 00 00 00 06 f9 f9 f9 f9 0x583f79f77180: 07 f9 f9 f9 05 f9 f9 f9 04 f9 f9 f9 03 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2360358==ABORTING ``` </details>
来源	⚠️ https://github.com/berry-lang/berry/issues/509
用户	Oneafter (UID 92781)
提交	2026-02-15 16時44分 (4 月前)
管理	2026-02-26 17時39分 (11 days later)
状态	已接受
VulDB条目	348014 [berry-lang berry 直到 1.1.0 src/be_lexer.c scan_string 信息公开]
积分	20

◂ 上一步一览下一步 ▸

Do you need the next level of professionalism?

Upgrade your account now!