Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2025-03-05 21:13:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix #9726 - 1 byte oob read in dalvik analysis

Browse Source
This commit is contained in:
pancake 2018-03-21 16:04:15 +01:00
parent 9074d2904a
commit 24282de142
2 changed files with 32 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
libr/anal/p/anal_dalvik.c
View File

@ -67,7 +67,7 @@ static int dalvik_op(RAnal *anal, RAnalOp *op, ut64 addr, const ut8 *data, int l
case 0x18: // const-wide
case 0x19: // const-wide
op->type = R_ANAL_OP_TYPE_MOV;
{
if (len > 2) {
int vA = (int) data[1];
ut32 vB = (data[3] << 8) | data[2];
esilprintf (op, "v%d,v%d,=", vA, vB);
@ -87,7 +87,7 @@ static int dalvik_op(RAnal *anal, RAnalOp *op, ut64 addr, const ut8 *data, int l
break;
case 0x1a: // const-string
op->type = R_ANAL_OP_TYPE_MOV;
{
if (len > 2) {
ut32 vA = data[1];
ut32 vB = (data[3]<<8) | data[2];
ut64 offset = R_ANAL_GET_OFFSET (anal, 's', vB);
@ -277,16 +277,20 @@ static int dalvik_op(RAnal *anal, RAnalOp *op, ut64 addr, const ut8 *data, int l
esilprintf (op, "0x%"PFMT64x",ip,=", op->jump);
break;
case 0x29: // goto/16
op->jump = addr + (short)(data[2]|data[3]<<8)*2;
op->type = R_ANAL_OP_TYPE_JMP;
op->eob = true;
esilprintf (op, "0x%"PFMT64x",ip,=", op->jump);
if (len > 2) {
op->jump = addr + (short)(data[2]|data[3]<<8)*2;
op->type = R_ANAL_OP_TYPE_JMP;
op->eob = true;
esilprintf (op, "0x%"PFMT64x",ip,=", op->jump);
}
break;
case 0x2a: // goto/32
op->jump = addr + (int)(data[2]|(data[3]<<8)|(data[4]<<16)|(data[5]<<24))*2;
op->type = R_ANAL_OP_TYPE_JMP;
op->eob = true;
esilprintf (op, "0x%"PFMT64x",ip,=", op->jump);
if (len > 2) {
op->jump = addr + (int)(data[2]|(data[3]<<8)|(data[4]<<16)|(data[5]<<24))*2;
op->type = R_ANAL_OP_TYPE_JMP;
op->eob = true;
esilprintf (op, "0x%"PFMT64x",ip,=", op->jump);
}
break;
case 0x2c:
case 0x2b:
@ -315,9 +319,11 @@ static int dalvik_op(RAnal *anal, RAnalOp *op, ut64 addr, const ut8 *data, int l
case 0x3d: // if-lez
op->type = R_ANAL_OP_TYPE_CJMP;
//XXX fix this better the check is to avoid an oob
op->jump = addr + (len>3?(short)(data[2]|data[3]<<8)*2 : 0);
op->fail = addr + sz;
op->eob = true;
if (len > 2) {
op->jump = addr + (len>3?(short)(data[2]|data[3]<<8)*2 : 0);
op->fail = addr + sz;
op->eob = true;
}
break;
case 0xec: // breakpoint
case 0x1d: // monitor-enter
@ -345,16 +351,15 @@ static int dalvik_op(RAnal *anal, RAnalOp *op, ut64 addr, const ut8 *data, int l
case 0xf0: // invoke-object-init-range
case 0xf9: // invoke-virtual-quick/range
case 0xfb: // invoke-super-quick/range
{
//XXX fix this better since the check avoid an oob
//but the jump will be incorrect
ut32 vB = len > 3?(data[3] << 8) | data[2] : 0;
op->jump = anal->binb.get_offset (anal->binb.bin, 'm', vB);
op->fail = addr + sz;
op->type = R_ANAL_OP_TYPE_CALL;
// TODO: handle /range instructions
esilprintf (op, "8,sp,-=,0x%"PFMT64x",sp,=[8],0x%"PFMT64x",ip,=", addr);
if (len > 2) {
//XXX fix this better since the check avoid an oob
//but the jump will be incorrect
ut32 vB = len > 3?(data[3] << 8) | data[2] : 0;
op->jump = anal->binb.get_offset (anal->binb.bin, 'm', vB);
op->fail = addr + sz;
op->type = R_ANAL_OP_TYPE_CALL;
// TODO: handle /range instructions
esilprintf (op, "8,sp,-=,0x%"PFMT64x",sp,=[8],0x%"PFMT64x",ip,=", addr);
}
break;
case 0x27: // throw
@ -375,7 +380,7 @@ static int dalvik_op(RAnal *anal, RAnalOp *op, ut64 addr, const ut8 *data, int l
case 0x26: // filled-new-array-data
op->type = R_ANAL_OP_TYPE_NEW;
// 0x1c, 0x1f, 0x22
{
if (len > 2) {
//int vA = (int) data[1];
int vB = (data[3] << 8) | data[2];
// resolve class name for vB

9
libr/util/trie.c
View File

@ -54,15 +54,12 @@ static void *r_trie_node_find(RTrieNode *n, char *name) {
}
static void r_trie_node_free(RTrieNode **n) {
if (!n) {
return;
}
if (!*n) {
if (!n || *n) {
return;
}
int i;
for (i = 0; i < ALPHABET_SIZE; i++){
r_trie_node_free ((*n)->child[i]);
r_trie_node_free (&(*n)->child[i]);
}
R_FREE (*n);
}
@ -150,7 +147,7 @@ R_API void r_trie_free(RTrie ** t) {
return;
}
if ((*t)->root) {
r_trie_node_free ((*t)->root);
r_trie_node_free (&(*t)->root);
}
R_FREE (*t);
}