Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2024-11-27 15:10:53 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Fix uaf in bin_dex.c and oob write in pi with dex

Browse Source
This commit is contained in:
Álvaro Felipe Melchor 2016-12-19 19:41:10 +01:00
parent d8739b1893
commit 1a05aecaa4
2 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
libr/asm/asm.c
View File

@ -29,7 +29,7 @@ static int r_asm_pseudo_string(RAsmOp *op, char *input, int zero) {
}
len = r_str_unescape (input)+zero;
r_hex_bin2str ((ut8*)input, len, op->buf_hex);
strncpy ((char*)op->buf, input, R_ASM_BUFSIZE-1);
strncpy ((char*)op->buf, input, R_ASM_BUFSIZE - 1);
return len;
}
@ -406,7 +406,8 @@ R_API int r_asm_disassemble(RAsm *a, RAsmOp *op, const ut8 *buf, int len) {
if (a->ofilter) {
r_parse_parse (a->ofilter, op->buf_asm, op->buf_asm);
}
memcpy (op->buf, buf, oplen);
//XXX check against R_ASM_BUFSIZE other oob write
memcpy (op->buf, buf, R_MIN (R_ASM_BUFSIZE - 1, oplen));
*op->buf_hex = 0;
if ((oplen * 4) >= sizeof (op->buf_hex)) {
oplen = (sizeof (op->buf_hex) / 4) - 1;
@ -475,7 +476,7 @@ R_API int r_asm_assemble(RAsm *a, RAsmOp *op, const char *buf) {
r_hex_bin2str (op->buf, ret, op->buf_hex);
op->size = ret;
op->buf_hex[ret*2] = 0;
strncpy (op->buf_asm, b, R_ASM_BUFSIZE-1);
strncpy (op->buf_asm, b, R_ASM_BUFSIZE - 1);
}
free (b);
return ret;

3
libr/bin/p/bin_dex.c
View File

@ -536,10 +536,10 @@ static void dex_parse_debug_item(RBinFile *binfile, RBinDexObj *bin,
}
opcode = *(p4++) & 0xff;
}
r_list_free (params);
if (!dexdump) {
r_list_free (debug_positions);
r_list_free (emitted_debug_locals);
r_list_free (params);
return;
}
@ -593,6 +593,7 @@ static void dex_parse_debug_item(RBinFile *binfile, RBinDexObj *bin,
}
r_list_free (debug_positions);
r_list_free (emitted_debug_locals);
r_list_free (params);
}
static int check (RBinFile *arch);