Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2024-11-28 07:30:33 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Fix doublefree in btree and use-after-free in windbg

Browse Source
This commit is contained in:
pancake 2015-11-02 12:32:31 +01:00
parent ed82bfd59c
commit 75adfec670
3 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libr/debug/p/debug_wind.c
View File

@ -92,14 +92,14 @@ static int r_debug_wind_wait (RDebug *dbg, int pid) {
// Handle exceptions only
if (stc->state == STATE_EXCEPTION) {
wind_set_cpu (wctx, stc->cpu);
free (pkt);
dbg->reason.type = R_DEBUG_REASON_INT;
dbg->reason.addr = stc->pc;
dbg->reason.tid = stc->kthread;
dbg->reason.signum = stc->state;
free (pkt);
break;
} else wind_continue (wctx);
free(pkt);
free (pkt);
}
// TODO : Set the faulty process as target

2
libr/include/btree.h
View File

@ -23,7 +23,7 @@ R_API void btree_init(struct btree_node **T);
R_API struct btree_node *btree_remove(struct btree_node *p, BTREE_DEL(del));
R_API void *btree_search(struct btree_node *proot, void *x, BTREE_CMP(cmp), int parent);
R_API void btree_traverse(struct btree_node *proot, int reverse, void *context, BTREE_TRV(trv));
R_API int btree_del(struct btree_node *proot, void *x, BTREE_CMP(cmp), BTREE_DEL(del));
R_API bool btree_del(struct btree_node *proot, void *x, BTREE_CMP(cmp), BTREE_DEL(del));
R_API void *btree_get(struct btree_node *proot, void *x, BTREE_CMP(cmp));
R_API void btree_insert(struct btree_node **T, struct btree_node *p, BTREE_CMP(cmp));
R_API void btree_add(struct btree_node **T, void *e, BTREE_CMP(cmp));

21
libr/util/btree.c
View File

@ -1,4 +1,4 @@
/* radare - LGPL - Copyright 2009-2013 - pancake */
/* radare - LGPL - Copyright 2009-2015 - pancake */
#include <btree.h>
@ -8,12 +8,12 @@ R_API void btree_init(struct btree_node **T) {
R_API struct btree_node *btree_remove(struct btree_node *p, BTREE_DEL(del)) {
struct btree_node *rp = NULL, *f;
if (p==NULL) return p;
if (p->right!=NULL) {
if (p->left!=NULL) {
if (!p) return p;
if (p->right) {
if (p->left) {
f = p;
rp = p->right;
while (rp->left!=NULL) {
while (rp->left) {
f = rp;
rp = rp->left;
}
@ -61,14 +61,15 @@ R_API void btree_traverse(struct btree_node *root, int reverse, void *context, B
}
}
R_API int btree_del(struct btree_node *proot, void *x, BTREE_CMP(cmp), BTREE_DEL(del)) {
R_API bool btree_del(struct btree_node *proot, void *x, BTREE_CMP(cmp), BTREE_DEL(del)) {
struct btree_node *p = btree_search (proot, x, cmp, 1);
if (p) {
// p->right =
btree_remove (p->left, del);
return R_TRUE;
p->left = NULL;
return true;
}
return R_FALSE;
return false;
}
R_API void *btree_get(struct btree_node *proot, void *x, BTREE_CMP(cmp)) {
@ -129,12 +130,12 @@ R_API struct btree_node *btree_hittest(struct btree_node *root, struct btree_nod
R_API int btree_optimize(struct btree_node **T, BTREE_CMP(cmp)) {
struct btree_node *node, *NT = NULL;
do {
node = btree_hittest(*T, NULL);
node = btree_hittest (*T, NULL);
if (node) {
btree_add (&NT, node->data, cmp);
btree_del (*T, node->data, cmp, NULL);
}
} while(node);
} while (node);
*T = NT; /* replace one tree with the other */
return 0;
}