In radare2 up to and including 4.0, there is an integer overflow for the variable new_token_size in the function r_asm_massemble at libr/asm/asm.c. This integer overflow will result in a Use-After-Free for the buffer tokens, which can be filled with arbitrary malicious data after the free. This allows remote malicious users to cause a denial of service (application crash) or possibly execute arbitrary code via crafted input.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
radare radare2 |