Created attachment 9401 [details] poc 1. Busybox bc Calculator zbc_parse_stmt_possibly_auto Function Stack Overflow busybox-master\busybox-1.33.1\miscutils\bc.c In line 4584,stack overflow by &G.prs 4579 #define zbc_parse_auto(...) (zbc_parse_auto(__VA_ARGS__) COMMA_SUCCE SS) 4580 4581 #undef zbc_parse_stmt_possibly_auto 4582 static BC_STATUS zbc_parse_stmt_possibly_auto(bool auto_allowed) 4583 { 4584 BcParse *p = &G.prs; 4585 BcStatus s = BC_STATUS_SUCCESS; 4586 4587 dbg_lex_enter("%s:%d entered, p->lex:%d", __func__, __LINE__ , p->lex); 4588 4589 if (p->lex == XC_LEX_NLINE) { 4590 dbg_lex_done("%s:%d done (seen XC_LEX_NLINE)", __fun c__, __LINE__); 4591 RETURN_STATUS(s); 4592 } 2 Affected versions Busybox 1.33 3 asan report busybox-1.33.1/busybox_unstripped bc id\:000032\,sig\:11\,src\:000737\,time\:90108123\,execs\:9999153\,op\:havoc\,rep\:16 bc 1.33.1 Adapted from https://github.com/gavinhoward/bc Original code (c) 2018 Gavin D. Howard and contributors AddressSanitizer:DEADLYSIGNAL ================================================================= ==1564774==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe0c9dffe8 (pc 0x55615737f984 bp 0x619000000580 sp 0x7ffe0c9dffe8 T0) #0 0x55615737f983 in zbc_parse_stmt_possibly_auto miscutils/bc.c:4584 SUMMARY: AddressSanitizer: stack-overflow miscutils/bc.c:4584 in zbc_parse_stmt_possibly_auto ==1564774==ABORTING