Skip to content

[Bug] Excessive memory allocation (0x1c7...) in sqvector::_realloc causes ASAN abort #313

New issue
New issue
Open
Open
[Bug] Excessive memory allocation (0x1c7...) in sqvector::_realloc causes ASAN abort#313
@oneafter

Description

@oneafter
oneafter
opened on Jan 22, 2026

Description

We discovered an Excessive Memory Allocation vulnerability in Squirrel. The crash occurs in sqvector::_realloc when the application attempts to allocate an impossibly large amount of memory (~2 Exabytes), triggering an AddressSanitizer abort.

The ASAN report indicates a requested size of 0x1c71c71c71c71c70, which exceeds the maximum supported size.

Environment

  • OS: Linux x86_64
  • Complier: Clang
  • Build Configuration: Release mode with ASan enabled.

Vulnerability Details

  • Target: Squirrel (squirrel-lang)
  • Vulnerability Type: CWE-770: Allocation of Resources Without Limits or Throttling / CWE-190: Integer Overflow
  • Function: sqvector::_realloc
  • Location: src/squirrel/squirrel/squtils.h:110 (called by resize at line 58)
  • Root Cause Analysis: The function sqvector::resize calls _realloc with a new size. The ASAN report shows the requested size is 0x1c71c71c71c71c70. This specific pattern suggests:
  1. An integer overflow occurred during the size calculation (e.g., multiplication logic in resize or array expansion).
  2. Or, a user-supplied size (e.g., via array(n)) was not validated against a reasonable maximum limit (like MAX_ARRAY_SIZE) before being passed to the allocator.

The allocator cannot handle this request and aborts to prevent system instability.

Reproduce

  1. Build squirrel with Release optimization and ASAN enabled.
  2. Run with the crashing file:
./build/bin/sq repro
ASAN report 
==55451==ERROR: AddressSanitizer: requested allocation size 0x1c71c71c71c71c70 (0x1c71c71c71c72c70 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x55cdd74c4880 in realloc (/src/squirrel/build/bin/sq+0xcd880) (BuildId: e84909622778a60c07bbbd32568cd4522dcfe97d)
    #1 0x7f4544943ce4 in sqvector<SQObjectPtr>::_realloc(unsigned long long) /src/squirrel/squirrel/squtils.h:110:21
    #2 0x7f4544943ce4 in sqvector<SQObjectPtr>::resize(unsigned long long, SQObjectPtr const&) /src/squirrel/squirrel/squtils.h:58:13

==55451==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/src/squirrel/build/bin/sq+0xcd880) (BuildId: e84909622778a60c07bbbd32568cd4522dcfe97d) in realloc
==55451==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions