mirror of
https://github.com/radareorg/radare2.git
synced 2025-02-21 23:01:03 +00:00
Fix #5476 - fix UAF executing twice izz~:0
This commit is contained in:
Álvaro Felipe Melchor
parent
3e21569722
commit
84e871e456
@ -40,13 +40,12 @@ R_API void r_cons_grep(const char *str) {
|
||||
char buf[R_CONS_GREP_BUFSIZE];
|
||||
char *ptr, *optr, *ptr2, *ptr3;
|
||||
|
||||
if (!str || !*str)
|
||||
if (!str || !*str) {
|
||||
return;
|
||||
|
||||
}
|
||||
cons = r_cons_singleton ();
|
||||
memset (&(cons->grep), 0, sizeof (cons->grep));
|
||||
cons->grep.line = -1;
|
||||
|
||||
while (*str) {
|
||||
switch (*str) {
|
||||
case '.':
|
||||
@ -107,7 +106,6 @@ R_API void r_cons_grep(const char *str) {
|
||||
if (ptr2 && ptr3) {
|
||||
ptr2[0] = '\0';
|
||||
ptr2++;
|
||||
|
||||
for (; ptr2 <= ptr3; ++ptr2) {
|
||||
if (fail) {
|
||||
memset (cons->grep.tokens, 0, R_CONS_GREP_TOKENS);
|
||||
@ -115,7 +113,6 @@ R_API void r_cons_grep(const char *str) {
|
||||
fail = 0;
|
||||
break;
|
||||
}
|
||||
|
||||
switch (*ptr2) {
|
||||
case '-':
|
||||
is_range = 1;
|
||||
|
||||
@ -357,19 +357,19 @@ static int cmd_info(void *data, const char *input) {
|
||||
biname = r_str_escape (core->file->desc->name);
|
||||
RCore *tmpcore = r_core_new ();
|
||||
if (!tmpcore) {
|
||||
eprintf ("Cannot create core\n");
|
||||
return 0;
|
||||
}
|
||||
eprintf ("Cannot create core\n");
|
||||
return 0;
|
||||
}
|
||||
core = tmpcore;
|
||||
tmpcore->bin->minstrlen = min;
|
||||
tmpcore->bin->maxstrlen = max;
|
||||
if (!r_bin_load (tmpcore->bin, biname, UT64_MAX, UT64_MAX, xtr_idx, fd, rawstr)){
|
||||
eprintf ("Cannot load information\n");
|
||||
eprintf ("Cannot load information\n");
|
||||
goto beach;
|
||||
}
|
||||
}
|
||||
switch (input[2]) {
|
||||
case '*':
|
||||
mode = R_CORE_BIN_RADARE;
|
||||
mode = R_CORE_BIN_RADARE;
|
||||
RBININFO ("strings", R_CORE_BIN_ACC_STRINGS, NULL);
|
||||
break;
|
||||
case 'q':
|
||||
@ -377,12 +377,12 @@ static int cmd_info(void *data, const char *input) {
|
||||
ret = r_sys_cmd_strf ("rabin2 -N %d:%d -qqzz '%s'", min, max, biname);
|
||||
input++;
|
||||
} else {
|
||||
mode = R_CORE_BIN_SIMPLE;
|
||||
mode = R_CORE_BIN_SIMPLE;
|
||||
RBININFO ("strings", R_CORE_BIN_ACC_STRINGS, NULL);
|
||||
}
|
||||
break;
|
||||
case 'j':
|
||||
mode = R_CORE_BIN_JSON;
|
||||
mode = R_CORE_BIN_JSON;
|
||||
RBININFO ("strings", R_CORE_BIN_ACC_STRINGS, NULL);
|
||||
break;
|
||||
default:
|
||||
@ -395,6 +395,8 @@ static int cmd_info(void *data, const char *input) {
|
||||
beach:
|
||||
core = r2core;
|
||||
r_core_free (tmpcore);
|
||||
//how cons is singleton cons->num was referring tmpcore->num that is freed causing UAF
|
||||
core->cons->num = core->num;
|
||||
//memcpy (r_cons_singleton (), cons, sizeof (RCons));
|
||||
/* do not copy rcons because it will segfault later
|
||||
* because of globals like consbuffersize */
|
||||
|
||||
@ -1438,7 +1438,9 @@ R_API int r_core_init(RCore *core) {
|
||||
}
|
||||
|
||||
R_API RCore *r_core_fini(RCore *c) {
|
||||
if (!c) return NULL;
|
||||
if (!c) {
|
||||
return NULL;
|
||||
}
|
||||
/* TODO: it leaks as shit */
|
||||
//update_sdb (c);
|
||||
// avoid double free
|
||||
|
||||
@ -47,7 +47,7 @@ R_API RNum *r_num_new(RNumCallback cb, void *ptr) {
|
||||
}
|
||||
|
||||
R_API void r_num_free(RNum *num) {
|
||||
free (num);
|
||||
R_FREE (num);
|
||||
}
|
||||
|
||||
#define KB (1024)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user