Fix use-after-free in RCoreFile/RIO

2024-12-13 16:18:33 +00:00 · 2014-11-07 10:37:54 +01:00 · 2014-11-07 10:37:54 +01:00 · 7cc34c4387
commit 7cc34c4387
parent d9cb7d65fd
3 changed files with 8 additions and 7 deletions
--- a/libr/core/cmd_open.c
+++ b/libr/core/cmd_open.c
@ -166,7 +166,8 @@ static int cmd_open(void *data, const char *input) {
 	case '-':
 		if (!r_core_file_close_fd (core, atoi (input+1)))
 			eprintf ("Unable to find filedescriptor %d\n", atoi (input+1));
-		r_core_block_read (core, 0);
+		// uninit deref
+		//r_core_block_read (core, 0);
 		break;
 	case 'm':
 		switch (input[1]) {
--- a/libr/core/file.c
+++ b/libr/core/file.c
@ -688,12 +688,11 @@ R_API void r_core_file_free(RCoreFile *cf) {
 		RIO *io = NULL;
 		if (cf) {
 			io = (RIO*)(cf->desc ? cf->desc->io : NULL);
-			return;
+			r_bin_file_deref_by_bind (&cf->binb);
 			if (cf->map) r_io_map_del_all (io, cf->map->fd);
 			r_io_close ((RIO *) io, cf->desc);
+			free (cf);
 		}
-		r_bin_file_deref_by_bind (&cf->binb);
-		free (cf);
 	}
 	cf = NULL;
 }
@ -830,6 +829,9 @@ R_API int r_core_file_close_fd(RCore *core, int fd) {
 	r_list_foreach (core->files, iter, file) {
 		if (file->desc->fd == fd) {
 			r_core_file_close (core, file);
+			if (file == core->file) {
+				core->file = NULL; // deref
+			}
 #if 0
 			if (r_list_empty (core->files))
 				core->file = NULL;
--- a/libr/io/p/io_default.c
+++ b/libr/io/p/io_default.c
@ -224,11 +224,9 @@ static ut64 r_io_def_mmap_seek(RIO *io, RIOMMapFileObj *mmo, ut64 offset, int wh
 }

 static ut64 r_io_def_mmap_lseek(RIO *io, RIODesc *fd, ut64 offset, int whence) {
-	RIOMMapFileObj *mmo;
 	if (!fd || !fd->data)
 		return -1;
-	mmo = fd->data;
-	return r_io_def_mmap_seek(io, mmo, offset, whence);
+	return r_io_def_mmap_seek (io, (RIOMMapFileObj *)fd->data, offset, whence);
 }

 static int r_io_def_mmap_truncate(RIOMMapFileObj *mmo, ut64 size) {