From 9a054c0a0f651ad3fb87b814daed93f585d61ac7 Mon Sep 17 00:00:00 2001 From: pancake Date: Tue, 11 Apr 2017 14:11:15 +0200 Subject: [PATCH] Fix oobs in dyldcache, omf and swift demangler --- libr/bin/format/mach0/dyldcache.c | 3 ++- libr/bin/format/omf/omf.c | 6 +++--- libr/bin/mangling/swift-sd.c | 18 +++++++++++++++--- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/libr/bin/format/mach0/dyldcache.c b/libr/bin/format/mach0/dyldcache.c index e5a5b534bb..dfd6339e06 100644 --- a/libr/bin/format/mach0/dyldcache.c +++ b/libr/bin/format/mach0/dyldcache.c @@ -40,8 +40,9 @@ struct r_bin_dyldcache_lib_t *r_bin_dyldcache_extract(struct r_bin_dyldcache_obj eprintf ("Empty file? (%s)\n", bin->file? bin->file: "(null)"); return NULL; } - if (bin->nlibs < 0 || idx < 0 || idx > bin->nlibs) + if (bin->nlibs < 0 || idx < 0 || idx >= bin->nlibs) { return NULL; + } *nlib = bin->nlibs; ret = R_NEW0 (struct r_bin_dyldcache_lib_t); if (!ret) { diff --git a/libr/bin/format/omf/omf.c b/libr/bin/format/omf/omf.c index 86653468a7..53061caf27 100644 --- a/libr/bin/format/omf/omf.c +++ b/libr/bin/format/omf/omf.c @@ -123,9 +123,9 @@ static int load_omf_lnames(OMF_record *record, const char *buf, ut64 buf_size) { return false; } - memcpy (names[ct_name], buf + 3 + tmp_size + 1, - buf[3 + tmp_size]); - + if ((tmp_size + 4 + buf[3 + tmp_size]) < record->size) { + memcpy (names[ct_name], buf + 3 + tmp_size + 1, buf[3 + tmp_size]); + } ct_name++; tmp_size += buf[3 + tmp_size] + 1; } diff --git a/libr/bin/mangling/swift-sd.c b/libr/bin/mangling/swift-sd.c index 4121ed0017..b67e15cbd2 100644 --- a/libr/bin/mangling/swift-sd.c +++ b/libr/bin/mangling/swift-sd.c @@ -74,8 +74,12 @@ static struct Type flags [] = { }; static const char *getnum(const char* n, int *num) { - if (num) *num = atoi (n); - while (*n>='0' && *n <='9') n++; + if (num && *n) { + *num = atoi (n); + } + while (*n && *n>='0' && *n <='9') { + n++; + } return n; } @@ -225,7 +229,15 @@ char *r_bin_demangle_swift(const char *s, int syscmd) { break; } } - p += (tail? 1: 2); + if (tail) { + if (*p) { + p++; + } + } else { + if (*p && p[1]) { + p += 2; + } + } // XXX q = getnum (p, NULL);