Squirrel Heap-Based Buffer Overflow Vulnerability in Cnut File Handler

A heap-based buffer overflow vulnerability has been identified in Squirrel versions through 3.2. The issue arises in the ReadObject function within the Cnut File Handler component, specifically in the file squirrel/sqobject.cpp. The vulnerability allows for local exploitation by manipulating string lengths in crafted bytecode, leading to memory corruption. The issue has been publicly disclosed and could be used for attacks.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, with the potential for arbitrary code execution in applications that load untrusted .cnut files. The vulnerability is also likely to cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using the Squirrel interpreter with the 'sq_static' command-line option, followed by a crafted .cnut file that exploits the buffer overflow. The AddressSanitizer output will indicate a heap-buffer-overflow error, confirming the successful exploitation of the vulnerability.

Remediation

The vulnerability can be addressed by modifying the ReadObject function to reject negative string lengths before processing them. This can be done by adding a check for negative values and raising an error if an invalid length is detected.