1. Forum
  2. DOVE-Net
  3. Synchronet Programming

  • src/syncterm/wren/vm/wren_compiler.c

    From Deuc¨@VERT to Git commit to main/sbbs/master on Thu Apr 30 10:38:25 2026
    https://gitlab.synchro.net/main/sbbs/-/commit/d938e6f021a3c87c0cd7553f
    Modified Files:
    src/syncterm/wren/vm/wren_compiler.c
    Log Message:
    SyncTERM: harden vendored Wren compiler against fuzzer-found crashes

    Five compiler-level bugs reported by oneafter against upstream
    wren-lang/wren (issues #1217-#1221). All five reproducers exit cleanly
    with compile errors after the fix under -fsanitize=address,undefined.

    #1217 Ä peekChar OOB in readRawString: the loop unconditionally peeked
    two characters after nextChar(), so consuming the buffer's terminating
    '\0' caused a 1-byte read past the source allocation. The "consume the
    closing two quotes" calls after the loop did the same on the
    unterminated path. Hoist the c=='\0' check above the peeks; only run
    the trailing two-quote consume when the loop actually saw the closing triple-quote.

    #1218 Ä stack exhaustion via deep nesting: the recursive descent
    parser had no depth limit. ~300 frames of definition/finishBlock/ statement/forStatement/loopBody corrupted the C stack and ASAN
    reported it as a heap-buffer-underflow in resolveLocal's memcmp. Add MAX_RECURSION_DEPTH (256) plus a recursionDepth counter on Parser;
    gate statement() and expression() at the entry point.

    #1219 Ä emitOp stackEffects[] OOB: validateNumParameters reports an
    error at arity == MAX_PARAMETERS+1 but does not stop or clamp, so
    callSignature emits (Code)(CODE_CALL_0 + arity) past CALL_16/SUPER_16
    and emitOp reads stackEffects[] beyond its 77 entries. Clamp arity in callSignature and callMethod, and add a sizeof-based bounds guard in
    emitOp as the safety net.

    #1220 Ä NULL deref in getByteCountForArguments: after error recovery
    emits malformed bytecode, endLoop's body walk treats arg bytes as
    opcodes; a CODE_CLOSURE byte then dereferences constants[] with a
    bogus index against an empty (NULL data) constants buffer. Skip the
    walk entirely when parser->hasError is set Ä the function is going to
    be discarded anyway.

    #1221 Ä vsprintf overflow in printError: a 159-byte stack buffer was
    filled by sprintf+vsprintf with no length checks. Attacker-controlled identifiers (method/variable names ó MAX_VARIABLE_NAME * actual
    length) can blow the buffer via formats like "Method '%s' is already
    defined." Switch to snprintf+vsnprintf with remaining-bytes
    accounting; drop the now-redundant ASSERT.

    Thanks to oneafter for the careful fuzzing reports and reproducers.

    Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

    ---
    þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net