Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2025-01-19 12:22:43 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Fix 3 null derefs and two overflows in java

Browse Source
This commit is contained in:
pancake 2017-04-18 01:16:07 +02:00
parent 9b54c51199
commit 16c73edfa5
3 changed files with 27 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libr/bin/p/bin_nro.c
View File

@ -108,7 +108,7 @@ static const char *readString(RBuffer *buf, int off) {
}
static ut64 baddr(RBinFile *arch) {
return readLE32 (arch->buf, NRO_OFFSET_MODMEMOFF);
return arch? readLE32 (arch->buf, NRO_OFFSET_MODMEMOFF): 0;
}
static const char *fileType(const ut8 *buf) {

9
libr/core/graph.c
View File

@ -2002,14 +2002,13 @@ static int get_cgnodes(RAGraph *g, RCore *core, RAnalFunction *fcn) {
if (!f) {
return false;
}
if (!fcn) {
fcn = f;
}
r_core_seek (core, f->addr, 1);
if (fcn) {
title = get_title (fcn->addr);
} else {
title = r_str_newf ("0x%08"PFMT64x, core->offset);
}
title = get_title (fcn->addr);
fcn_anode = r_agraph_add_node (g, title, "");
free (title);

25
shlr/java/class.c
View File

@ -8739,9 +8739,10 @@ R_API int U(r_bin_java_double_cp_set)(RBinJavaObj * bin, ut16 idx, ut32 val) {
}
r_bin_java_check_reset_cp_obj (cp_obj, R_BIN_JAVA_CP_DOUBLE);
cp_obj->tag = R_BIN_JAVA_CP_DOUBLE;
memcpy (bytes, (const char *) &val, 8);
val = r_bin_java_raw_to_long (bytes, 0);
memcpy (&cp_obj->info.cp_double.bytes.raw, (const char *) &val, 8);
ut64 val64 = val;
memcpy (bytes, (const char *) &val64, 8);
val64 = r_bin_java_raw_to_long (bytes, 0);
memcpy (&cp_obj->info.cp_double.bytes.raw, (const char *) &val64, 8);
return true;
}
@ -8898,21 +8899,39 @@ R_API ut8 *U(r_bin_java_cp_append_ref_cname_fname_ftype)(RBinJavaObj * bin, ut32
}
bytes = calloc (1, total_len);
// class name bytes
if (*out_sz + cn_len >= total_len) {
goto beach;
}
memcpy (bytes, cn_bytes + *out_sz, cn_len);
*out_sz += cn_len;
// field name bytes
if (*out_sz + fn_len >= total_len) {
goto beach;
}
memcpy (bytes, fn_bytes + *out_sz, fn_len);
*out_sz += fn_len;
// field type bytes
if (*out_sz + ft_len >= total_len) {
goto beach;
}
memcpy (bytes, ft_bytes + *out_sz, ft_len);
*out_sz += ft_len;
// class ref bytes
if (*out_sz + cref_len >= total_len) {
goto beach;
}
memcpy (bytes, cref_bytes + *out_sz, cref_len);
*out_sz += fn_len;
// field name and type bytes
if (*out_sz + fnt_len >= total_len) {
goto beach;
}
memcpy (bytes, fnt_bytes + *out_sz, fnt_len);
*out_sz += fnt_len;
// field ref bytes
if (*out_sz + fref_len >= total_len) {
goto beach;
}
memcpy (bytes, fref_bytes + *out_sz, fref_len);
*out_sz += fref_len;
}