Skip to content

PICOC Null Pointer Dereference Denial of Service #34

New issue
New issue
Open
Open
PICOC Null Pointer Dereference Denial of Service#34
@Halcy0nic

Description

@Halcy0nic
Halcy0nic
opened on Jun 21, 2022

PICOC Suffers from a Denial of Service (CWE476) vulnerability as a result of a Null Pointer Dereference. Any project or library that uses Picoc also suffers from this issue. An example of this would be picoc-js (https://www.npmjs.com/package/picoc-js). As a result PICOC will immediately segfault.

Reproduction Steps

  1. Create a file to be executed by the PICOC interpreter
$ touch vulncode
  1. Add the following code to the file:
printf("Before Crash\n");
**4%;
printf("This code won't execute because of the crash\n");
  1. Execute PICOC against the file:
$ ./picoc -s vulncode
  1. You will receive a segfault and the program will crash. This is a result of a null pointer dereference that is not caught or handled by the interpreter. The vulnerable line of code can be seen below:
**4%;

Solution

Adding a few if statements that verify the pointer is not NULL before usage will solve this problem. You can find more information about this here:

https://owasp.org/www-community/vulnerabilities/Null_Dereference

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions