Skip to content

CVE v5 backports #2835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Rot127 merged 2 commits into from
Dec 29, 2025
Merged

CVE v5 backports #2835

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6e6c5b0
Backport of 2c7797182a1618be12017d7d41e0b6581d5d529e to v5 branch.
Rot127 Dec 17, 2025
c4167e1
Backport of cbef767ab33b82166d263895f24084b75b316df3 into v5.
Rot127 Dec 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions SStream.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ void SStream_concat0(SStream *ss, const char *s)
#ifndef CAPSTONE_DIET
unsigned int len = (unsigned int) strlen(s);

SSTREAM_OVERFLOW_CHECK(ss, len);
memcpy(ss->buffer + ss->index, s, len);
ss->index += len;
ss->buffer[ss->index] = '\0';
Expand All @@ -42,6 +43,7 @@ void SStream_concat0(SStream *ss, const char *s)
void SStream_concat1(SStream *ss, const char c)
{
#ifndef CAPSTONE_DIET
SSTREAM_OVERFLOW_CHECK(ss, 1);
ss->buffer[ss->index] = c;
ss->index++;
ss->buffer[ss->index] = '\0';
Expand All @@ -57,6 +59,10 @@ void SStream_concat(SStream *ss, const char *fmt, ...)
va_start(ap, fmt);
ret = cs_vsnprintf(ss->buffer + ss->index, sizeof(ss->buffer) - (ss->index + 1), fmt, ap);
va_end(ap);
if (ret < 0) {
return;
}
SSTREAM_OVERFLOW_CHECK(ss, ret);
ss->index += ret;
#endif
}
Expand Down
12 changes: 11 additions & 1 deletion SStream.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,18 @@

#include "include/capstone/platform.h"

#define SSTREAM_BUF_LEN 512

#define SSTREAM_OVERFLOW_CHECK(OS, len) \
do { \
if (OS->index + len + 1 > SSTREAM_BUF_LEN) { \
fprintf(stderr, "Buffer overflow caught!\n"); \
return; \
} \
} while (0)

typedef struct SStream {
char buffer[512];
char buffer[SSTREAM_BUF_LEN];
int index;
} SStream;

Expand Down
14 changes: 9 additions & 5 deletions cs.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -976,10 +976,13 @@ size_t CAPSTONE_API cs_disasm(csh ud, const uint8_t *buffer, size_t size, uint64
skipdata_bytes = handle->skipdata_size;

// we have to skip some amount of data, depending on arch & mode
insn_cache->id = 0; // invalid ID for this "data" instruction
// invalid ID for this "data" instruction
insn_cache->id = 0;
insn_cache->address = offset;
insn_cache->size = (uint16_t)skipdata_bytes;
memcpy(insn_cache->bytes, buffer, skipdata_bytes);
insn_cache->size = (uint16_t)MIN(
skipdata_bytes, sizeof(insn_cache->bytes));
memcpy(insn_cache->bytes, buffer,
MIN(skipdata_bytes, sizeof(insn_cache->bytes)));
#ifdef CAPSTONE_DIET
insn_cache->mnemonic[0] = '\0';
insn_cache->op_str[0] = '\0';
Expand Down Expand Up @@ -1181,12 +1184,13 @@ bool CAPSTONE_API cs_disasm_iter(csh ud, const uint8_t **code, size_t *size,
// we have to skip some amount of data, depending on arch & mode
insn->id = 0; // invalid ID for this "data" instruction
insn->address = *address;
insn->size = (uint16_t)skipdata_bytes;
insn->size = (uint16_t)MIN(skipdata_bytes, sizeof(insn->bytes));
memcpy(insn->bytes, *code,
MIN(skipdata_bytes, sizeof(insn->bytes)));
#ifdef CAPSTONE_DIET
insn->mnemonic[0] = '\0';
insn->op_str[0] = '\0';
#else
memcpy(insn->bytes, *code, skipdata_bytes);
strncpy(insn->mnemonic, handle->skipdata_setup.mnemonic,
sizeof(insn->mnemonic) - 1);
skipdata_opstr(insn->op_str, *code, skipdata_bytes);
Expand Down
Loading