Fix a 1 byte overflow in r2cmd and improve logic checks ##crash

2024-10-06 18:13:46 +00:00 · 2024-09-13 17:54:09 +02:00 · 2024-09-13 17:54:09 +02:00 · 245779383e
commit 245779383e
parent 2f4f8edda6
2 changed files with 26 additions and 30 deletions
--- a/binr/radare2/radare2.c
+++ b/binr/radare2/radare2.c
@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2009-2023 - pancake */
+/* radare - LGPL - Copyright 2009-2024 - pancake */

 #include <r_main.h>

@ -43,38 +43,39 @@ void r2_asmjs_openurl(void *kore, const char *url) {
 	}
 }
 #else
+
+#ifndef STDOUT_FILENO
+#define STDOUT_FILENO 1
+#endif
+
 static void r2cmd(int in, int out, const char *cmd) {
-	size_t cmd_len = strlen (cmd) + 1;
-	if (write (out, cmd, cmd_len) != cmd_len) {
+	int cmd_len = strlen (cmd) + 1;
+	if ((int)write (out, cmd, cmd_len) != cmd_len) {
 		return;
 	}
+#if 0
 	if (write (out, "\n", 1) != 1) {
 		return;
 	}
-	int bufsz = (1024 * 64);
-	unsigned char *buf = malloc (bufsz);
-	if (!buf) {
+#endif
+	int bufsz = (1024 * 64) - 1;
+	ut8 *buf = malloc (bufsz + 1);
+	if (R_UNLIKELY (!buf)) {
 		return;
 	}
-	while (1) {
-		int n = read (in, buf, bufsz);
-		if (n < 1) {
-			break;
-		}
-		buf[n] = '\0';
-		buf[bufsz - 1] = '\0';
+	int n = read (in, buf, bufsz);
+	if (R_LIKELY (n > 0)) {
+		buf[R_MIN (n, bufsz)] = 0;
 		int len = strlen ((const char *)buf);
-		n = len;
-		if (n < 1) {
-			break;
-		}
-		n = write (1, buf, n);
-		if (n != bufsz) {
-			break;
+		if (len > 0) {
+			n = write (STDOUT_FILENO, buf, len);
+			if (n != len) {
+				R_LOG_ERROR ("Truncated output");
+			}
 		}
 	}
 	free (buf);
-	write (1, "\n", 1);
+	write (STDOUT_FILENO, "\n", 1);
 }

 static int r_main_r2pipe(int argc, const char **argv) {
--- a/libr/search/privkey.c
+++ b/libr/search/privkey.c
@ -2,6 +2,7 @@
 // By Nadia Heninger and J. Alex Halderman
 // Contribution to r2 by @santitox
 // Integrated and refactored by jvoisin and spelissier
+// Updated by Sylvain Pelissier 2024

 #include <r_search.h>
 #include <r_crypto/r_ed25519.h>
@ -68,6 +69,7 @@ static int check_fields(const ut8 *start) {
 // As defined in RFC 3447 for RSA, as defined in RFC 5915 for
 // elliptic curves and as defined in 7 of RFC 8410 for SafeCurves
 R_IPI int search_asn1_privkey_update(RSearch *s, ut64 from, const ut8 *buf, int len) {
+	R_RETURN_VAL_IF_FAIL (s && buf, -1);
 	int i, k, max, index, t;
 	RListIter *iter;
 	RSearchKeyword *kw;
@ -120,16 +122,9 @@ R_IPI int search_asn1_privkey_update(RSearch *s, ut64 from, const ut8 *buf, int
 	return -1;
 }

-static inline void hexprint(const ut8 *data, int len) {
-	int i = 0;
-	for (i = 0; i < len; i++) {
-		r_cons_printf ("%02x", data[i]);
-	}
-	r_cons_newline ();
-}
-
 // Finds and return index of a private key matching a given public key.
 R_IPI int search_raw_privkey_update(RSearch *s, ut64 from, const ut8 *buf, int len) {
+	R_RETURN_VAL_IF_FAIL (s && buf, -1);
 	int t, i;
 	RSearchKeyword *kw;
 	RListIter *iter;
@ -156,4 +151,4 @@ R_IPI int search_raw_privkey_update(RSearch *s, ut64 from, const ut8 *buf, int l
 		}
 	}
 	return -1;
-}
+}