Merge commit from fork

The overflow was reported by Github user Finder16

Author: Rot127

cs.c

@@ -1323,11 +1323,13 @@ size_t CAPSTONE_API cs_disasm(csh ud, const uint8_t *buffer, size_t size,
 				skipdata_bytes = handle->skipdata_size;
 
 			// we have to skip some amount of data, depending on arch & mode
-			insn_cache->id =
-				0; // invalid ID for this "data" instruction
+			// invalid ID for this "data" instruction
+			insn_cache->id = 0;
 			insn_cache->address = offset;
-			insn_cache->size = (uint16_t)skipdata_bytes;
-			memcpy(insn_cache->bytes, buffer, skipdata_bytes);
+			insn_cache->size = (uint16_t)MIN(
+				skipdata_bytes, sizeof(insn_cache->bytes));
+			memcpy(insn_cache->bytes, buffer,
+			       MIN(skipdata_bytes, sizeof(insn_cache->bytes)));
 #ifdef CAPSTONE_DIET
 			insn_cache->mnemonic[0] = '\0';
 			insn_cache->op_str[0] = '\0';
@@ -1537,12 +1539,13 @@ bool CAPSTONE_API cs_disasm_iter(csh ud, const uint8_t **code, size_t *size,
 		// we have to skip some amount of data, depending on arch & mode
 		insn->id = 0; // invalid ID for this "data" instruction
 		insn->address = *address;
-		insn->size = (uint16_t)skipdata_bytes;
+		insn->size = (uint16_t)MIN(skipdata_bytes, sizeof(insn->bytes));
+		memcpy(insn->bytes, *code,
+		       MIN(skipdata_bytes, sizeof(insn->bytes)));
 #ifdef CAPSTONE_DIET
 		insn->mnemonic[0] = '\0';
 		insn->op_str[0] = '\0';
 #else
-		memcpy(insn->bytes, *code, skipdata_bytes);
 		strncpy(insn->mnemonic, handle->skipdata_setup.mnemonic,
 			sizeof(insn->mnemonic) - 1);
 		skipdata_opstr(insn->op_str, *code, skipdata_bytes);

tests/integration/CMakeLists.txt

@@ -33,7 +33,7 @@ add_test(NAME integration_c_compat_headers
   WORKING_DIRECTORY ${COMPAT_C_TEST_DIR}
 )
 
-set(INTEGRATION_TEST_SRC test_litbase.c)
+set(INTEGRATION_TEST_SRC test_litbase.c test_poc.c)
 if(CMAKE_BUILD_TYPE STREQUAL "Release")
   set(INTEGRATION_TEST_SRC ${INTEGRATION_TEST_SRC} test_assert_macros.c)
 endif()

tests/integration/test_poc.c

@@ -0,0 +1,84 @@
+// SPDX-License-Identifier: BSD-3
+// SPDX-FileCopyrightText: 2025 Finder16
+// SPDX-FileCopyrightText: 2025 Rot127 <unisono@quyllur.org>
+
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <capstone/platform.h>
+#include <capstone/capstone.h>
+
+static size_t big_skip(const uint8_t *code, size_t code_size, size_t offset,
+		       void *user_data)
+{
+	(void)code;
+	(void)code_size;
+	(void)offset;
+	(void)user_data;
+	return 1024; // larger than cs_insn.bytes (24)
+}
+
+/// Possible buffer overflow of cs_insn.bytes if number of skipped bytes
+/// is larger.
+/// Reported by Finder16.
+static void test_overflow_cs_insn_bytes()
+{
+	csh handle;
+	if (cs_open(CS_ARCH_WASM, CS_MODE_LITTLE_ENDIAN, &handle) !=
+	    CS_ERR_OK) {
+		return;
+	}
+	cs_opt_skipdata skip = { .mnemonic = ".byte",
+				 .callback = big_skip,
+				 .user_data = NULL };
+	cs_option(handle, CS_OPT_SKIPDATA, CS_OPT_ON);
+	cs_option(handle, CS_OPT_SKIPDATA_SETUP, (size_t)&skip);
+	uint8_t buf[1024] = { 0 };
+	buf[0] = 0x06; // invalid WASM opcode to force skipdata path
+	cs_insn *insn = NULL;
+	// Overflowed cs_insn->bytes before the fix.
+	cs_disasm(handle, buf, sizeof(buf), 0, 1, &insn);
+	cs_free(insn, 1);
+	cs_close(&handle);
+	return;
+}
+
+/// Possible buffer overflow of cs_insn.bytes if number of skipped bytes
+/// is larger.
+/// Reported by Finder16.
+static void test_overflow_cs_insn_bytes_iter()
+{
+	csh handle;
+	if (cs_open(CS_ARCH_WASM, CS_MODE_LITTLE_ENDIAN, &handle) !=
+	    CS_ERR_OK) {
+		return;
+	}
+	cs_opt_skipdata skip = { .mnemonic = ".byte",
+				 .callback = big_skip,
+				 .user_data = NULL };
+	cs_option(handle, CS_OPT_SKIPDATA, CS_OPT_ON);
+	cs_option(handle, CS_OPT_SKIPDATA_SETUP, (size_t)&skip);
+	uint64_t address = 0;
+	uint8_t buf[1024] = { 0 };
+	const uint8_t *b = buf;
+	size_t size = sizeof(buf);
+	buf[0] = 0x06; // invalid WASM opcode to force skipdata path
+	cs_insn *insn = cs_malloc(handle);
+;
+	// Overflowed cs_insn->bytes before the fix.
+	while (cs_disasm_iter(handle, &b, &size, &address, insn)) {
+		continue;
+	}
+	cs_free(insn, 1);
+	cs_close(&handle);
+	return;
+}
+
+int main()
+{
+	test_overflow_cs_insn_bytes();
+	test_overflow_cs_insn_bytes_iter();
+
+	return 0;
+}