From 06b93969b09e47e76e141a6716d2830433cd7088 Mon Sep 17 00:00:00 2001
From: pancake <pancake@nopcode.org>
Date: Wed, 13 Jun 2018 15:43:44 +0200
Subject: [PATCH] Fix some more oobreads in v850

---
 libr/asm/arch/v850/v850_disas.c | 67 +++++++++++++++------------------
 libr/core/cmd.c                 |  1 +
 2 files changed, 32 insertions(+), 36 deletions(-)

diff --git a/libr/asm/arch/v850/v850_disas.c b/libr/asm/arch/v850/v850_disas.c
index e2cd991666..0f7d58f2f0 100644
--- a/libr/asm/arch/v850/v850_disas.c
+++ b/libr/asm/arch/v850/v850_disas.c
@@ -1,3 +1,5 @@
+/* radare - LGPL - Copyright 2014-2018 - Fedor Sakharov */
+
 #include <r_types.h>
 #include <r_util.h>
 #include <r_endian.h>
@@ -99,9 +101,7 @@ static const char *conds[] = {
 };
 
 static int decode_reg_reg(const ut16 instr, struct v850_cmd *cmd) {
-	ut8 opcode;
-
-	opcode = get_opcode (instr);
+	ut8 opcode = get_opcode (instr);
 
 	if (opcode >= sizeof (instrs)/sizeof (char *)) {
 		return -1;
@@ -121,18 +121,14 @@ static int decode_reg_reg(const ut16 instr, struct v850_cmd *cmd) {
 }
 
 static int decode_imm_reg(const ut16 instr, struct v850_cmd *cmd) {
-	ut8 opcode;
-	st8 immed;
-
-	opcode = get_opcode (instr);
-
-	if (opcode >= sizeof (instrs)/sizeof (char *)) {
+	ut8 opcode = get_opcode (instr);
+	if (opcode >= sizeof (instrs) / sizeof (char *)) {
 		return -1;
 	}
 
 	snprintf (cmd->instr, V850_INSTR_MAXLEN - 1, "%s", instrs[opcode]);
 
-	immed = get_reg1 (instr);
+	st8 immed = get_reg1 (instr);
 
 	if (immed & 0x10) {
 		immed |= 0xE0;
@@ -154,29 +150,26 @@ static int decode_imm_reg(const ut16 instr, struct v850_cmd *cmd) {
 	return 2;
 }
 
-static int decode_bcond(const ut16 instr, struct v850_cmd *cmd) {
-	ut16 disp;
-
-	disp = ((instr >> 4) & 0x7) | (instr >> 11);
-	disp = disp << 1;
+static int decode_bcond(const ut16 instr, int len, struct v850_cmd *cmd) {
+	ut16 disp = ((instr >> 4) & 0x7) | (instr >> 11);
+	disp <<= 1;
 
 	snprintf (cmd->instr, V850_INSTR_MAXLEN - 1, "b%s", conds[instr & 0xF]);
-
 	snprintf (cmd->operands, V850_INSTR_MAXLEN - 1, "0x%x", disp);
 
 	return 2;
 }
 
-static int decode_jarl(const ut8 *instr, struct v850_cmd *cmd) {
-	ut8 reg;
-	ut16 word1, word2;
-	ut32 disp;
+static int decode_jarl(const ut8 *instr, int len, struct v850_cmd *cmd) {
+	if (len < 4) {
+		return -1;
+	}
 
-	word1 = r_read_le16 (instr);
-	word2 = r_read_at_le16 (instr, 2);
+	ut16 word1 = r_read_le16 (instr);
+	ut16 word2 = r_read_at_le16 (instr, 2);
 
-	reg = get_reg2 (word1);
-	disp = (word2 << 6) | get_reg1 (word1);
+	ut8 reg = get_reg2 (word1);
+	ut32 disp = (word2 << 6) | get_reg1 (word1);
 
 	snprintf (cmd->instr, V850_INSTR_MAXLEN - 1, "%s", instrs[get_opcode (word1)]);
 	snprintf (cmd->operands, V850_INSTR_MAXLEN - 1, "0x%08x, r%d",
@@ -185,16 +178,15 @@ static int decode_jarl(const ut8 *instr, struct v850_cmd *cmd) {
 	return 4;
 }
 
-static int decode_3operands(const ut8 *instr, struct v850_cmd *cmd) {
-	ut16 word1, word2;
-
-	word1 = r_read_le16 (instr);
-	word2 = r_read_at_le16 (instr, 2);
-
+static int decode_3operands(const ut8 *instr, int len, struct v850_cmd *cmd) {
+	if (len < 4) {
+		return -1;
+	}
+	ut16 word1 = r_read_le16 (instr);
+	ut16 word2 = r_read_at_le16 (instr, 2);
 	snprintf (cmd->instr, V850_INSTR_MAXLEN - 1, "%s", instrs[get_opcode (word1)]);
 	snprintf (cmd->operands, V850_INSTR_MAXLEN - 1, "0x%x, r%d, r%d",
 			word2, get_reg1 (word1), get_reg2 (word1));
-
 	return 4;
 }
 
@@ -234,9 +226,12 @@ static int decode_load_store(const ut8 *instr, int len, struct v850_cmd *cmd) {
 	return 4;
 }
 
-static int decode_bit_op(const ut8 *instr, struct v850_cmd *cmd) {
+static int decode_bit_op(const ut8 *instr, int len, struct v850_cmd *cmd) {
 	ut16 word1, word2;
 	ut8 reg1;
+	if (len < 4) {
+		return -1;
+	}
 
 	word1 = r_read_le16 (instr);
 	word2 = r_read_at_le16 (instr, 2);
@@ -345,11 +340,11 @@ int v850_decode_command (const ut8 *instr, int len, struct v850_cmd *cmd) {
 	case V850_XORI:
 	case V850_ANDI:
 	case V850_MULHI:
-		ret = decode_3operands (instr, cmd);
+		ret = decode_3operands (instr, len, cmd);
 		break;
 	case V850_JARL1:
 	case V850_JARL2:
-		ret = decode_jarl (instr, cmd);
+		ret = decode_jarl (instr, len, cmd);
 		break;
 	case V850_STB:
 	case V850_LDB:
@@ -358,14 +353,14 @@ int v850_decode_command (const ut8 *instr, int len, struct v850_cmd *cmd) {
 		ret = decode_load_store (instr, len, cmd);
 		break;
 	case V850_BIT_MANIP:
-		ret = decode_bit_op (instr, cmd);
+		ret = decode_bit_op (instr, len, cmd);
 		break;
 	case V850_EXT1:
 		ret = decode_extended (instr, len, cmd);
 		break;
 	default:
 		if ((get_opcode (in) >> 2) == 0xB) {
-			ret = decode_bcond (in, cmd);
+			ret = decode_bcond (in, len, cmd);
 		} else {
 			ret = -1;
 		}
diff --git a/libr/core/cmd.c b/libr/core/cmd.c
index 8978ba0c60..6c1b07f68f 100644
--- a/libr/core/cmd.c
+++ b/libr/core/cmd.c
@@ -1790,6 +1790,7 @@ beach:
 }
 
 static char *find_eoq(char *p) {
+eprintf ("EOQ\n");
 	for (; *p; p++) {
 		if (*p == '"') {
 			break;