- <2.15.05
- Nasm Source : https://www.nasm.us/pub/nasm/releasebuilds/2.15.05/
- Download from website
wget https://www.nasm.us/pub/nasm/releasebuilds/2.15.05/nasm-2.15.05.tar.gz
- Decompress source code
tar xvf nasm-2.15.05.tar.gz
- Setup compiler flag and open sanitizer option
cd nasm-2.15.05
export CC=/usr/bin/gcc
export CXX=/usr/bin/g++
export CFLAGS="-g -fsanitize=address"
./configure --prefix=/usr/
- Make install
sudo make install
- Check version
./nasm -v
I used fuzzer crafted by myself, and then I found a crash.
I reproduce the vulnerability by this PoC.
./nasm -t -Z/dev/null -g -O0 -o /dev/null -M -f bin ./poc
The Address Sanitizer showed there is a heap overflow bug here.
This appears to be a duplicate of https://bugzilla.nasm.us/show_bug.cgi?id=3392815 (CVE-2022-44370)
I would suggest trying to repro with the latest dev branch, or test with the patch from the above bug report (netwide-assembler/nasm@2d4e695).