Squirrel Heap-Based Buffer Overflow Vulnerability in SQFunctionProto::Load

A heap-based buffer overflow vulnerability has been identified in Squirrel versions through 3.2. The issue arises in the SQFunctionProto::Load function within the file squirrel/sqobject.cpp. The vulnerability is caused by the function reading count fields from the bytecode stream without proper validation. This oversight allows for an integer overflow in the _FUNC_SIZE macro, leading to a significant underallocation of memory. The vulnerability requires local execution to exploit and has been publicly disclosed.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, with the potential for arbitrary code execution, as the overflowed memory can be controlled by the attacker.

Reproduction

The vulnerability can be reproduced by loading a crafted .cnut bytecode file using the sqstd_loadfile or sq_readclosure functions, which are available in the Squirrel standard library. This can be done from an application that embeds the Squirrel interpreter.

Remediation

It is recommended to replace the _FUNC_SIZE macro with overflow-checked arithmetic or to cap each count field to a reasonable maximum after reading from the bytecode stream.