Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2024-12-02 02:06:46 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Fix integer overflow that leads to a crash in the DEX parser ##bin (#13520)

Browse Source
This commit is contained in:
radare 2019-03-27 10:30:22 +01:00 committed by GitHub
parent 2fbc484f57
commit 5c60aa24d8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 34 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
libr/bin/p/bin_dex.c
View File

@ -1528,9 +1528,10 @@ static void parse_class(RBinFile *binfile, RBinDexObj *bin, RBinDexClass *c,
if (!c || !c->class_data_offset) {
if (dexdump) {
rbin->cb_printf (
" Static fields -\n Instance fields "
"-\n Direct methods -\n Virtual methods "
"-\n");
" Static fields -\n"
" Instance fields -\n"
" Direct methods -\n"
" Virtual methods -\n");
}
} else {
// TODO: move to func, def or inline
@ -1544,15 +1545,42 @@ static void parse_class(RBinFile *binfile, RBinDexObj *bin, RBinDexClass *c,
const ut8 *bufbuf = r_buf_buffer (binfile->buf);
p = bufbuf + c->class_data_offset;
// runtime error: pointer index expression with base 0x000000004402 overflowed to 0xfffffffffffffd46
p_end = p + (r_buf_size (binfile->buf) - c->class_data_offset);
// XXX may overflow
if (r_buf_size (binfile->buf) < c->class_data_offset) {
return;
}
ut32 p_size = (r_buf_size (binfile->buf) - c->class_data_offset);
p_end = p + p_size;
//XXX check for NULL!!
c->class_data = (struct dex_class_data_item_t *)malloc (
sizeof (struct dex_class_data_item_t));
if (!p->class_data) {
return;
}
if (p >= p_end) {
free (c->class_data);
return;
}
p = r_uleb128 (p, p_end - p, &c->class_data->static_fields_size);
if (p >= p_end) {
free (c->class_data);
return;
}
p = r_uleb128 (p, p_end - p, &c->class_data->instance_fields_size);
if (p >= p_end) {
free (c->class_data);
return;
}
p = r_uleb128 (p, p_end - p, &c->class_data->direct_methods_size);
if (p >= p_end) {
free (c->class_data);
return;
}
p = r_uleb128 (p, p_end - p, &c->class_data->virtual_methods_size);
if (p >= p_end) {
free (c->class_data);
return;
}
if (dexdump) {
rbin->cb_printf (" Static fields -\n");
@ -1594,8 +1622,7 @@ static void parse_class(RBinFile *binfile, RBinDexObj *bin, RBinDexClass *c,
c->source_file, source_file);
}
}
// TODO:!!!!
// FIX: FREE BEFORE ALLOCATE!!!
// TODO: fix memleaks
//free (class_name);
}