From 7be543919e81c91de4e98a556adb06dd515b781a Mon Sep 17 00:00:00 2001 From: pancake Date: Tue, 26 Apr 2022 10:42:43 +0200 Subject: [PATCH] Fix #6647 - check map bounds in the pebble bin loader ##bin --- libr/bin/p/bin_pebble.c | 24 ++++++++++++++++-------- test/db/formats/pebble | 29 +++++++++++++++++++++++++++++ test/db/formats/peeble | 7 ------- 3 files changed, 45 insertions(+), 15 deletions(-) create mode 100644 test/db/formats/pebble delete mode 100644 test/db/formats/peeble diff --git a/libr/bin/p/bin_pebble.c b/libr/bin/p/bin_pebble.c index a95715e5b7..c2ee1f93ff 100644 --- a/libr/bin/p/bin_pebble.c +++ b/libr/bin/p/bin_pebble.c @@ -1,4 +1,4 @@ -/* radare - LGPL - Copyright 2014-2019 - pancake */ +/* radare - LGPL - Copyright 2014-2022 - pancake */ #include #include @@ -102,13 +102,21 @@ static RList* sections(RBinFile *bf) { return ret; } ptr->name = strdup ("relocs"); - ptr->vsize = ptr->size = pai.num_reloc_entries * sizeof (ut32); - ptr->vaddr = ptr->paddr = pai.reloc_list_start; - ptr->perm = R_PERM_RW; - ptr->add = true; - r_list_append (ret, ptr); - if (ptr->vaddr < textsize) { - textsize = ptr->vaddr; + ut64 sz = pai.num_reloc_entries * sizeof (ut32); + ut64 ss = pai.reloc_list_start; + if (ss < r_buf_size (bf->buf)) { + if (ss + sz >= r_buf_size (bf->buf)) { + ut64 left = r_buf_size (bf->buf) - ss; + sz = left; + } + ptr->vaddr = ptr->paddr = ss; + ptr->vsize = ptr->size = sz; + ptr->perm = R_PERM_RWX; + ptr->add = true; + r_list_append (ret, ptr); + if (ptr->vaddr < textsize) { + textsize = ptr->vaddr; + } } // imho this must be a symbol diff --git a/test/db/formats/pebble b/test/db/formats/pebble new file mode 100644 index 0000000000..ec78357ca2 --- /dev/null +++ b/test/db/formats/pebble @@ -0,0 +1,29 @@ +NAME=Pebble: Open/iI +FILE=bins/pebble/pebble-app.bin +CMDS=iI~?pebble +EXPECT=<