Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2024-12-01 00:51:19 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Fix doublefree in btree and use-after-free in windbg

Browse Source
This commit is contained in:
pancake 2015-11-02 12:32:31 +01:00
parent ed82bfd59c
commit 75adfec670
3 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libr/debug/p/debug_wind.c
View File

@ -92,14 +92,14 @@ static int r_debug_wind_wait (RDebug *dbg, int pid) {
// Handle exceptions only // Handle exceptions only
if (stc->state == STATE_EXCEPTION) { if (stc->state == STATE_EXCEPTION) {
wind_set_cpu (wctx, stc->cpu); wind_set_cpu (wctx, stc->cpu);
free (pkt);
dbg->reason.type = R_DEBUG_REASON_INT; dbg->reason.type = R_DEBUG_REASON_INT;
dbg->reason.addr = stc->pc; dbg->reason.addr = stc->pc;
dbg->reason.tid = stc->kthread; dbg->reason.tid = stc->kthread;
dbg->reason.signum = stc->state; dbg->reason.signum = stc->state;
free (pkt);
break; break;
} else wind_continue (wctx); } else wind_continue (wctx);
free(pkt); free (pkt);
} }
// TODO : Set the faulty process as target // TODO : Set the faulty process as target

2
libr/include/btree.h
View File

@ -23,7 +23,7 @@ R_API void btree_init(struct btree_node **T);
R_API struct btree_node *btree_remove(struct btree_node *p, BTREE_DEL(del)); R_API struct btree_node *btree_remove(struct btree_node *p, BTREE_DEL(del));
R_API void *btree_search(struct btree_node *proot, void *x, BTREE_CMP(cmp), int parent); R_API void *btree_search(struct btree_node *proot, void *x, BTREE_CMP(cmp), int parent);
R_API void btree_traverse(struct btree_node *proot, int reverse, void *context, BTREE_TRV(trv)); R_API void btree_traverse(struct btree_node *proot, int reverse, void *context, BTREE_TRV(trv));
R_API int btree_del(struct btree_node *proot, void *x, BTREE_CMP(cmp), BTREE_DEL(del)); R_API bool btree_del(struct btree_node *proot, void *x, BTREE_CMP(cmp), BTREE_DEL(del));
R_API void *btree_get(struct btree_node *proot, void *x, BTREE_CMP(cmp)); R_API void *btree_get(struct btree_node *proot, void *x, BTREE_CMP(cmp));
R_API void btree_insert(struct btree_node **T, struct btree_node *p, BTREE_CMP(cmp)); R_API void btree_insert(struct btree_node **T, struct btree_node *p, BTREE_CMP(cmp));
R_API void btree_add(struct btree_node **T, void *e, BTREE_CMP(cmp)); R_API void btree_add(struct btree_node **T, void *e, BTREE_CMP(cmp));

21
libr/util/btree.c
View File

@ -1,4 +1,4 @@
/* radare - LGPL - Copyright 2009-2013 - pancake */ /* radare - LGPL - Copyright 2009-2015 - pancake */
#include <btree.h> #include <btree.h>
@ -8,12 +8,12 @@ R_API void btree_init(struct btree_node **T) {
R_API struct btree_node *btree_remove(struct btree_node *p, BTREE_DEL(del)) { R_API struct btree_node *btree_remove(struct btree_node *p, BTREE_DEL(del)) {
struct btree_node *rp = NULL, *f; struct btree_node *rp = NULL, *f;
if (p==NULL) return p; if (!p) return p;
if (p->right!=NULL) { if (p->right) {
if (p->left!=NULL) { if (p->left) {
f = p; f = p;
rp = p->right; rp = p->right;
while (rp->left!=NULL) { while (rp->left) {
f = rp; f = rp;
rp = rp->left; rp = rp->left;
} }
@ -61,14 +61,15 @@ R_API void btree_traverse(struct btree_node *root, int reverse, void *context, B
} }
} }
R_API int btree_del(struct btree_node *proot, void *x, BTREE_CMP(cmp), BTREE_DEL(del)) { R_API bool btree_del(struct btree_node *proot, void *x, BTREE_CMP(cmp), BTREE_DEL(del)) {
struct btree_node *p = btree_search (proot, x, cmp, 1); struct btree_node *p = btree_search (proot, x, cmp, 1);
if (p) { if (p) {
// p->right = // p->right =
btree_remove (p->left, del); btree_remove (p->left, del);
return R_TRUE; p->left = NULL;
return true;
} }
return R_FALSE; return false;
} }
R_API void *btree_get(struct btree_node *proot, void *x, BTREE_CMP(cmp)) { R_API void *btree_get(struct btree_node *proot, void *x, BTREE_CMP(cmp)) {
@ -129,12 +130,12 @@ R_API struct btree_node *btree_hittest(struct btree_node *root, struct btree_nod
R_API int btree_optimize(struct btree_node **T, BTREE_CMP(cmp)) { R_API int btree_optimize(struct btree_node **T, BTREE_CMP(cmp)) {
struct btree_node *node, *NT = NULL; struct btree_node *node, *NT = NULL;
do { do {
node = btree_hittest(*T, NULL); node = btree_hittest (*T, NULL);
if (node) { if (node) {
btree_add (&NT, node->data, cmp); btree_add (&NT, node->data, cmp);
btree_del (*T, node->data, cmp, NULL); btree_del (*T, node->data, cmp, NULL);
} }
} while(node); } while (node);
*T = NT; /* replace one tree with the other */ *T = NT; /* replace one tree with the other */
return 0; return 0;
} }