[Bug] NULL Pointer Dereference (WRITE) in sqstd_rex_newnode during regex compilation

[oneafter]

Description

We discovered a Segmentation Fault in the Squirrel standard library (regex module). The crash occurs in sqstd_rex_newnode when compiling a specifically crafted regular expression.

The ASAN report indicates a WRITE memory access violation on address 0x000000000000, confirming a NULL Pointer Dereference.

Environment

• OS: Linux x86_64
• Complier: Clang
• Build Configuration: Release mode with ASan enabled.

Vulnerability Details

• Target: Squirrel (squirrel-lang)
• Module: sqstdlib (Regex)
• Vulnerability Type: CWE-476: NULL Pointer Dereference
• Function: sqstd_rex_newnode
• Location: sqstdlib/sqstdrex.cpp:85 (called by sqstd_rex_compile)
• Root Cause Analysis: The crash happens inside sqstd_rex_newnode which is responsible for allocating or initializing a new node in the regex AST. The ASAN report shows:

The signal is caused by a WRITE memory access.
AddressSanitizer: SEGV on unknown address 0x000000000000

This suggests that a pointer being used to store node data (likely the return value of an allocation or a pointer retrieved from the SQRex structure) is NULL. This usually happens when the regex complexity exceeds internal limits (e.g., too many nodes) or when an allocation fails, and the code attempts to write to the resulting NULL pointer without checking its validity.

Reproduce

1. Build squirrel with Release optimization and ASAN enabled.
2. Run with the crashing file:

./build/bin/sq repro

ASAN report

==38427==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f88c372e06c bp 0x000000000000 sp 0x7ffdf0dca930 T0)
==38427==The signal is caused by a WRITE memory access.
==38427==Hint: address points to the zero page.
    #0 0x7f88c372e06c in sqstd_rex_newnode(SQRex*, int) /src/squirrel/sqstdlib/sqstdrex.cpp:85:32
    #1 0x7f88c372e06c in sqstd_rex_compile /src/squirrel/sqstdlib/sqstdrex.cpp:564:19
    #2 0x7f88c373d336 in _regexp_constructor(SQVM*) /src/squirrel/sqstdlib/sqstdstring.cpp:482:18
    #3 0x7f88c36dab43 in SQVM::CallNative(SQNativeClosure*, long long, long long, SQObjectPtr&, int, bool&, bool&) /src/squirrel/squirrel/sqvm.cpp:1219:21
    #4 0x7f88c36cfca8 in SQVM::Execute(SQObjectPtr&, long long, long long, SQObjectPtr&, unsigned long long, SQVM::ExecutionType) /src/squirrel/squirrel/sqvm.cpp:812:33
    #5 0x7f88c36be96f in SQVM::Call(SQObjectPtr&, long long, long long, SQObjectPtr&, unsigned long long) /src/squirrel/squirrel/sqvm.cpp:1610:16
    #6 0x7f88c35d3815 in sq_call /src/squirrel/squirrel/sqapi.cpp:1178:12
    #7 0x56549f0a8665 in getargs /src/squirrel/sq/sq.c:193:24
    #8 0x56549f0a9cb7 in main /src/squirrel/sq/sq.c:330:12
    #9 0x7f88c326a1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #10 0x7f88c326a28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #11 0x56549efc6634 in _start (/src/squirrel/build/bin/sq+0x2d634) (BuildId: e84909622778a60c07bbbd32568cd4522dcfe97d)

==38427==Register values:
rax = 0x0000000000000000  rbx = 0x000050b000000498  rcx = 0x0000000000000000  rdx = 0x0000000000000001  
rdi = 0x0000000000000000  rsi = 0x00007f88c2c1a0d0  rbp = 0x0000000000000000  rsp = 0x00007ffdf0dca930  
 r8 = 0x0000000000000001   r9 = 0x0000524000000000  r10 = 0x00007fffffffff01  r11 = 0x3fcfba21cdd4d001  
r12 = 0x000050b000000488  r13 = 0x00000aca93e1d797  r14 = 0x00000a1600000093  r15 = 0x000056549f0ebcb8  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/squirrel/sqstdlib/sqstdrex.cpp:85:32 in sqstd_rex_newnode(SQRex*, int)
==38427==ABORTING