Fix oob write when r_cons_pop

2025-02-17 12:48:41 +00:00 · 2016-10-19 02:09:14 +02:00 · 2016-10-19 02:09:14 +02:00 · 258e12fdd8
commit 258e12fdd8
parent 27d3d3dbf0
3 changed files with 21 additions and 12 deletions
--- a/libr/cons/cons.c
+++ b/libr/cons/cons.c
@ -308,15 +308,15 @@ R_API RCons *r_cons_free() {
 }

 #define MOAR (4096 * 8)
-static void palloc(int moar) {
+static bool palloc(int moar) {
 	void *temp;
 	if (moar <= 0) {
-		return;
+		return false;
 	}
 	if (!I.buffer) {
 		int new_sz;
 		if ((INT_MAX - MOAR) < moar) {
-			return;
+			return false;
 		}
 		new_sz = moar + MOAR;
 		temp = calloc (1, new_sz);
@ -325,20 +325,22 @@ static void palloc(int moar) {
 			I.buffer = temp;
 			I.buffer[0] = '\0';
 		}
-	} else if (moar + I.buffer_len >= I.buffer_sz) {
+	} else if (moar + I.buffer_len > I.buffer_sz) {
 		char *new_buffer;
 		int old_buffer_sz = I.buffer_sz;
 		if ((INT_MAX - MOAR - moar) < I.buffer_sz) {
-			return;
+			return false;
 		}
-		I.buffer_sz += moar+MOAR;
+		I.buffer_sz += moar + MOAR;
 		new_buffer = realloc (I.buffer, I.buffer_sz);
 		if (new_buffer) {
 			I.buffer = new_buffer;
 		} else {
 			I.buffer_sz = old_buffer_sz;
+			return false;
 		}
 	}
+	return true;
 }

 R_API int r_cons_eof() {
@ -453,6 +455,7 @@ R_API void r_cons_push() {
 R_API void r_cons_pop() {
 	if (I.cons_stack) {
 		RConsStack *data = (RConsStack *)r_stack_pop (I.cons_stack);
+		char *tmp;
 		if (!data) {
 			return;
 		}
@ -460,6 +463,13 @@ R_API void r_cons_pop() {
 			free (data);
 			return;
 		} 
+		tmp = malloc (data->buf_size);
+		if (!tmp) {
+			cons_stack_free ((void *)data);
+			return;
+		}
+		free (I.buffer);
+		I.buffer = tmp;
 		memcpy (I.buffer, data->buf, data->buf_len);
 		I.buffer_len = data->buf_len;
 		I.buffer_sz = data->buf_size;
@ -684,10 +694,11 @@ R_API void r_cons_memcat(const char *str, int len) {
 		write (2, str, len);
 	}
 	if (str && len > 0 && !I.null) {
-		palloc (len+1);
-		memcpy (I.buffer + I.buffer_len, str, len);
-		I.buffer_len += len;
-		I.buffer[I.buffer_len] = 0;
+		if (palloc (len + 1)) {
+			memcpy (I.buffer + I.buffer_len, str, len);
+			I.buffer_len += len;
+			I.buffer[I.buffer_len] = 0;
+		}
 	}
 	if (I.flush) {
 		r_cons_flush ();
--- a/libr/core/cmd.c
+++ b/libr/core/cmd.c
@ -2189,7 +2189,6 @@ R_API int r_core_cmd_foreach(RCore *core, const char *cmd, char *each) {
 					}
 					r_cons_pop ();
 					r_cons_strcat (buf);
-					r_cons_newline();
 					free (buf);
 				}
 				core->cons->grep = grep;
--- a/libr/core/cmd_search.c
+++ b/libr/core/cmd_search.c
@ -1568,7 +1568,6 @@ static void do_anal_search(RCore *core, struct search_parameters *param, const c
 		}
 		ret = r_anal_op (core->anal, &aop, at, buf + i, bsize - i);
 		if (ret) {
-			const char *arg = NULL;
 			bool match = false;
 			if (chk_family) {
 				const char *fam = r_anal_op_family_to_string (aop.family);