Re: CVE id request: nasm off-by-one

[Eren Türkay <turkay.eren () gmail com>]

On 11 Jun 2008 Wed 18:48:14 Nico Golde wrote:
> There is an off-by-one in the ppscan() function which is
> used to preprocess files.
>
> Details:
> https://sourceforge.net/tracker/?func=detail&atid=106208&aid=1942146&group_
> id=6208
>
> Can I get a CVE id for this one?

Secunia [0] implies that this security flaw also ocurrs in 0.x. I looked at 
the code in 0.98.39 [1] tarball to backport vendor-supported patch but it 
seems that 0.x is not vulnerable.

The control of TOKEN_ID in 2.03 [2] is blow;

    if (tline->type == TOK_ID) {
        p = tokval->t_charptr = tline->text;
        if (p[0] == '$') {
            tokval->t_charptr++;
            return tokval->t_type = TOKEN_ID;
        }

        for (r = p, s = ourcopy; *r; r++) {
            if (r >= p+MAX_KEYWORD)
                return tokval->t_type = TOKEN_ID; /* Not a keyword */
            *s++ = tolower(*r);
        }
        *s = '\0';
        return nasm_token_hash(ourcopy, tokval);
    }

While 0.98.39 has;

    if (tline->type == TOK_ID) {
        tokval->t_charptr = tline->text;
        if (tline->text[0] == '$') {
            tokval->t_charptr++;
            return tokval->t_type = TOKEN_ID;
        }

        if (!nasm_stricmp(tline->text, "seg"))
            return tokval->t_type = TOKEN_SEG;

        return tokval->t_type = TOKEN_ID;
    }

There is only control for "seq" value, and after it, it just returns TOKEN_ID. 
Could someone shed light on this issue, I'm not completely sure whether this 
occurs in 0.x, too.

[0] http://secunia.com/advisories/30594/
[1] http://ovh.dl.sourceforge.net/sourceforge/nasm/nasm-0.98.39.tar.bz2
[2] ftp://ftp.zytor.com/pub/nasm/releasebuilds/2.03/nasm-2.03.tar.bz2