NULL pointer dereference in GenerateBinary

[OwenSanzas]

Summary

file_saver->SaveFile() called without NULL check in idl_gen_binary.cpp:53.

Root Cause

IDLOptions::file_saver defaults to nullptr. When GenerateBinary() is called with non-empty builder, it dereferences NULL pointer.

PoC

poc = bytes([
    0x52, 0x0a, 0x2f, 0x2f, 0x25, 0x31, 0x2f, 0x2f, 0x2f, 0x41, 0x41, 0xbf,
    0xc5, 0xc0, 0x41, 0x41, 0x6d, 0x6d, 0x6d, 0xba, 0x02, 0x2f, 0x2a, 0x63,
    0x74, 0x31, 0x6f, 0x72, 0x35, 0x9a, 0x2a, 0x2a, 0x2f, 0x2f, 0x2f, 0x0a,
    0x2f, 0x2f, 0x2f, 0x99, 0x33, 0xf1, 0xd0, 0x3a, 0x0a, 0x0a, 0x2f, 0x2f,
    0x33, 0x9a, 0x9a, 0x0a, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63,
    0x65, 0x3b, 0x2f, 0x2f, 0x41, 0x5a, 0x7c, 0xe0
])
open("poc.bin", "wb").write(poc)

• Fuzzer: codegen_fuzzer
• Sanitizer: AddressSanitizer
• Run: ./codegen_fuzzer poc.bin

==1==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
==1==The signal is caused by a READ memory access.
==1==Hint: address points to the zero page.
    #0 0x55b5c0a851c4 in GenerateBinary /src/flatbuffers/src/idl_gen_binary.cpp:53:34
    #1 0x55b5c0a851c4 in BinaryCodeGenerator::GenerateCode

Suggested Fix

--- a/src/idl_gen_binary.cpp
+++ b/src/idl_gen_binary.cpp
@@ -41,6 +41,7 @@ static std::string BinaryFileName(const Parser& parser, const std::string& path,

 static bool GenerateBinary(const Parser& parser, const std::string& path,
                            const std::string& file_name) {
+  if (!parser.opts.file_saver) return false;
   if (parser.opts.use_flexbuffers) {
     auto data_vec = parser.flex_builder_.GetBuffer();

[jtdavis777]

Thanks for the report! I have an open PR with filesaver cleanup -- I'll fold this into that.

[jtdavis777]

looking into this - I think maybe the issue is that the fuzzer itself calls GenerateCode without ensuring a filesaver exists. I will add your patch as a safety measure but also will see if I can add a file saver to the fuzzer so it continues to work as intended.