src/syncterm/wren/vm/wren_compiler.c - Historico da BBS TELESC.NET.BR

BBS:      TELESC.NET.BR
Assunto:  src/syncterm/wren/vm/wren_compiler.c
De:       Deuc¨
Data:     Thu, 30 Apr 2026 10:38:25 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/d938e6f021a3c87c0cd7553f
Modified Files:
	src/syncterm/wren/vm/wren_compiler.c
Log Message:
SyncTERM: harden vendored Wren compiler against fuzzer-found crashes

Five compiler-level bugs reported by oneafter against upstream
wren-lang/wren (issues #1217-#1221). All five reproducers exit cleanly
with compile errors after the fix under -fsanitize=address,undefined.

#1217  peekChar OOB in readRawString: the loop unconditionally peeked
two characters after nextChar(), so consuming the buffer's terminating
'\0' caused a 1-byte read past the source allocation. The "consume the
closing two quotes" calls after the loop did the same on the
unterminated path. Hoist the c=='\0' check above the peeks; only run
the trailing two-quote consume when the loop actually saw the closing
triple-quote.

#1218  stack exhaustion via deep nesting: the recursive descent
parser had no depth limit. ~300 frames of definition/finishBlock/
statement/forStatement/loopBody corrupted the C stack and ASAN
reported it as a heap-buffer-underflow in resolveLocal's memcmp. Add
MAX_RECURSION_DEPTH (256) plus a recursionDepth counter on Parser;
gate statement() and expression() at the entry point.

#1219  emitOp stackEffects[] OOB: validateNumParameters reports an
error at arity == MAX_PARAMETERS+1 but does not stop or clamp, so
callSignature emits (Code)(CODE_CALL_0 + arity) past CALL_16/SUPER_16
and emitOp reads stackEffects[] beyond its 77 entries. Clamp arity in
callSignature and callMethod, and add a sizeof-based bounds guard in
emitOp as the safety net.

#1220  NULL deref in getByteCountForArguments: after error recovery
emits malformed bytecode, endLoop's body walk treats arg bytes as
opcodes; a CODE_CLOSURE byte then dereferences constants[] with a
bogus index against an empty (NULL data) constants buffer. Skip the
walk entirely when parser->hasError is set  the function is going to
be discarded anyway.

#1221  vsprintf overflow in printError: a 159-byte stack buffer was
filled by sprintf+vsprintf with no length checks. Attacker-controlled
identifiers (method/variable names  MAX_VARIABLE_NAME * actual
length) can blow the buffer via formats like "Method '%s' is already
defined." Switch to snprintf+vsnprintf with remaining-bytes
accounting; drop the now-redundant ASSERT.

Thanks to oneafter for the careful fuzzing reports and reproducers.

Co-Authored-By: Claude Opus 4.7 (1M context) 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]