NULL pointer dereference in GenerateBinary #8902
Description
Summary
file_saver->SaveFile() called without NULL check in idl_gen_binary.cpp:53.
Root Cause
IDLOptions::file_saver defaults to nullptr. When GenerateBinary() is called with non-empty builder, it dereferences NULL pointer.
PoC
poc = bytes([
0x52, 0x0a, 0x2f, 0x2f, 0x25, 0x31, 0x2f, 0x2f, 0x2f, 0x41, 0x41, 0xbf,
0xc5, 0xc0, 0x41, 0x41, 0x6d, 0x6d, 0x6d, 0xba, 0x02, 0x2f, 0x2a, 0x63,
0x74, 0x31, 0x6f, 0x72, 0x35, 0x9a, 0x2a, 0x2a, 0x2f, 0x2f, 0x2f, 0x0a,
0x2f, 0x2f, 0x2f, 0x99, 0x33, 0xf1, 0xd0, 0x3a, 0x0a, 0x0a, 0x2f, 0x2f,
0x33, 0x9a, 0x9a, 0x0a, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
0x65, 0x3b, 0x2f, 0x2f, 0x41, 0x5a, 0x7c, 0xe0
])
open("poc.bin", "wb").write(poc)- Fuzzer:
codegen_fuzzer - Sanitizer: AddressSanitizer
- Run:
./codegen_fuzzer poc.bin
==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
#0 0x55b5c0a851c4 in GenerateBinary /src/flatbuffers/src/idl_gen_binary.cpp:53:34
#1 0x55b5c0a851c4 in BinaryCodeGenerator::GenerateCode
Suggested Fix
--- a/src/idl_gen_binary.cpp
+++ b/src/idl_gen_binary.cpp
@@ -41,6 +41,7 @@ static std::string BinaryFileName(const Parser& parser, const std::string& path,
static bool GenerateBinary(const Parser& parser, const std::string& path,
const std::string& file_name) {
+ if (!parser.opts.file_saver) return false;
if (parser.opts.use_flexbuffers) {
auto data_vec = parser.flex_builder_.GetBuffer();