OOB Access due to Index Confusion in SquirrelLang [CVE-2021-41556]

We discussed this vulnerability during Episode 94 on 26 October 2021

There is an out-of-bounds access that occures by causing Squirel to lookup a method in the array of class fields.

When accessing class fields and methods a lookup is performed on the attributes name to determine its index within one of two internal arrays (one for fields, one for methods). The most-significant byte of this index is a bit-field which is used to indicate which of the arrays the index corresponds to: 0x02000000 for fields, 0x01000000 for methods.

The problem is that the number of classes is not limited to prevent the index from properly expanding into that bit and fooling the _isfield() macro that checks the field bit. An attacker could craft a class with more than 0x020000XX methods, but only 1 field. The _isfield() check will pass, and the index of 0x000000XX (the bit-field will be masked out) will be looked up on the field array going out of bounds).

To exploit this the author crafts a string that immitates the expected SQObjectPtr structure that the field array usually contains, and can prepare the heap to place it next to the _defaultvalues array and tricks Squirrel into returning an array that points to 0x0 and contains 0xffffffffffffffff elements giving access to the entire address space.