Potential buffer overflows in XER and ACN runtime libraries #367
Description
During a private security review conducted by an external researcher, three potential buffer overflow issues were identified in the asn1scc runtime libraries and code generation templates. The findings were responsibly disclosed in private, together with detailed analyses and proposed fixes.
This issue tracks the assessment and remediation of the following items.
1. XER Primitive Decoder – Buffer Overflow
Component
asn1crt/asn1crt_encoding_xer.c
Problem
Xer_DecodePrimitiveElement() copies decoded XML element content into a caller-supplied buffer without checking its size. Several callers pass fixed-size buffers (typically 256–2048 bytes).
Malformed or oversized XER input may cause writes past the end of the buffer.
Impact
- Possible crash or memory corruption when decoding untrusted XER/XML input
- Relevant only when XER decoding is enabled and used on external data
Reference
- See attached report: SECURITY_ISSUE_1_XER_BUFFER_OVERFLOW.md
2. XER SEQUENCE OF Decoder – Out-of-Bounds Write
Component
StgC/xer_c.stg(also affects Ada templateStgAda/xer_a.stg)
Problem
The generated decode loop for SEQUENCE OF writes elements to arr[sI] without verifying that sI < nSizeMax.
The bounds check occurs only after the loop terminates, which is too late to prevent an overflow.
Impact
- Out-of-bounds write when decoding malformed XER with more elements than allowed by the ASN.1 size constraint
- Stack or heap corruption depending on allocation
Reference
- See attached report: SECURITY_ISSUE_2_XER_SEQUENCEOF_OOB.md
3. ACN Null-Terminated Decoder – Stack Buffer Overflow
Component
asn1crt/asn1crt_encoding_acn.c
Problem
ACN null-terminated decoders use a fixed 10-byte temporary buffer for the termination pattern.
Although the size is clamped for comparisons, the read loop uses the unclamped null_character_size, allowing writes past the buffer if the pattern exceeds 10 bytes.
Impact
- Stack corruption at decode time
- Requires an ACN schema with a termination pattern longer than 10 bytes (compile-time controlled)
Reference
- See attached report: SECURITY_ISSUE_3_ACN_NULL_TERM_OVERFLOW.md
Next Steps
- Review and validate each issue
- Decide on final fix strategy (runtime bounds checks vs. compile-time validation where applicable)
- Apply fixes consistently across C and Ada backends
- Add regression tests for malformed inputs
- Coordinate disclosure timing if this issue is made public
Acknowledgements
Thanks to Stanislav Fort (Aisle Research) for the responsible private disclosure and for providing clear reproductions and patch suggestions.