Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2025-03-05 12:57:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix crash in gdb:// and some oobreads

Browse Source
This commit is contained in:
pancake 2016-09-13 02:38:08 +02:00
parent 690847a25f
commit a59e0ce083
4 changed files with 36 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
libr/bin/bin.c
View File

@ -138,12 +138,14 @@ static int string_scan_range(RList *list, const ut8 *buf, int min, const ut64 fr
ut8 tmp[R_STRING_SCAN_BUFFER_SIZE]; ut8 tmp[R_STRING_SCAN_BUFFER_SIZE];
ut64 needle = from, str_start; ut64 needle = from, str_start;
int count = 0, i, rc, runes, str_type = R_STRING_TYPE_DETECT; int count = 0, i, rc, runes, str_type = R_STRING_TYPE_DETECT;
if (type == -1)
if (type == -1) {
type = R_STRING_TYPE_DETECT; type = R_STRING_TYPE_DETECT;
}
if (!buf || !min) if (!buf || !min) {
return -1; return -1;
}
while (needle < to) { while (needle < to) {
rc = r_utf8_decode (buf + needle, to - needle, NULL); rc = r_utf8_decode (buf + needle, to - needle, NULL);
if (!rc) { if (!rc) {
@ -155,8 +157,12 @@ static int string_scan_range(RList *list, const ut8 *buf, int min, const ut64 fr
if (str_type == R_STRING_TYPE_DETECT) { if (str_type == R_STRING_TYPE_DETECT) {
char *w = (char *)buf + needle + rc; char *w = (char *)buf + needle + rc;
bool is_wide = needle + rc + 2 < to && !w[0] && w[1] && !w[2]; if ((to - needle) > 2) {
str_type = is_wide? R_STRING_TYPE_WIDE: R_STRING_TYPE_ASCII; bool is_wide = needle + rc + 2 < to && !w[0] && w[1] && !w[2];
str_type = is_wide? R_STRING_TYPE_WIDE: R_STRING_TYPE_ASCII;
} else {
str_type = R_STRING_TYPE_ASCII;
}
} }
runes = 0; runes = 0;
@ -189,9 +195,8 @@ static int string_scan_range(RList *list, const ut8 *buf, int min, const ut64 fr
if (r_isprint (r)) { if (r_isprint (r)) {
rc = r_utf8_encode (&tmp[i], r); rc = r_utf8_encode (&tmp[i], r);
runes++; runes++;
} /* Print the escape code */
/* Print the escape code */ } else if (r && r < 0x100 && strchr ("\b\v\f\n\r\t\a\e", (char)r)) {
else if (r && r < 0x100 && strchr ("\b\v\f\n\r\t\a\e", (char)r)) {
if ((i + 32) < sizeof (tmp) && r < 28) { if ((i + 32) < sizeof (tmp) && r < 28) {
tmp[i + 0] = '\\'; tmp[i + 0] = '\\';
tmp[i + 1] = " abtnvfr e"[r]; tmp[i + 1] = " abtnvfr e"[r];
@ -201,9 +206,10 @@ static int string_scan_range(RList *list, const ut8 *buf, int min, const ut64 fr
} }
rc = 2; rc = 2;
runes++; runes++;
} else {
/* \0 marks the end of C-strings */
break;
} }
/* \0 marks the end of C-strings */
else break;
} }
tmp[i++] = '\0'; tmp[i++] = '\0';
@ -224,7 +230,6 @@ static int string_scan_range(RList *list, const ut8 *buf, int min, const ut64 fr
} }
} }
} }
return count; return count;
} }

14
libr/debug/p/debug_gdb.c
View File

@ -40,18 +40,20 @@ static int r_debug_gdb_reg_read(RDebug *dbg, int type, ut8 *buf, int size) {
copy_size = R_MIN (desc->data_len, size); copy_size = R_MIN (desc->data_len, size);
buflen = R_MAX (desc->data_len, buflen); buflen = R_MAX (desc->data_len, buflen);
if (reg_buf) { if (reg_buf) {
if (buf_size < copy_size) { //desc->data_len) { // if (buf_size < copy_size) { //desc->data_len) {
ut8* new_buf = realloc (reg_buf, copy_size); if (buflen > buf_size) { //copy_size) {
if (!new_buf) ut8* new_buf = realloc (reg_buf, buflen);
if (!new_buf) {
return -1; return -1;
}
reg_buf = new_buf; reg_buf = new_buf;
buflen = copy_size; buf_size = buflen;
buf_size = desc->data_len;
} }
} else { } else {
reg_buf = calloc (buflen, 1); reg_buf = calloc (buflen, 1);
if (!reg_buf) if (!reg_buf) {
return -1; return -1;
}
buf_size = buflen; buf_size = buflen;
} }
memset ((void*)(volatile void*)buf, 0, size); memset ((void*)(volatile void*)buf, 0, size);

2
libr/io/p/io_gdb.c
View File

@ -37,7 +37,7 @@ static int debug_gdb_read_at(ut8 *buf, int sz, ut64 addr) {
if (sz < 1 || addr >= UT64_MAX) return -1; if (sz < 1 || addr >= UT64_MAX) return -1;
for (x = 0; x < packets; x++) { for (x = 0; x < packets; x++) {
gdbr_read_memory (desc, addr + x * size_max, size_max); gdbr_read_memory (desc, addr + x * size_max, size_max);
memcpy ((buf + x * size_max), desc->data + x * size_max, size_max); memcpy ((buf + x * size_max), desc->data + x * size_max, R_MIN (sz, size_max));
} }
if (last) { if (last) {
gdbr_read_memory (desc, addr + x * size_max, last); gdbr_read_memory (desc, addr + x * size_max, last);

17
libr/util/utf8.c
View File

@ -192,9 +192,10 @@ static const int nonprintable_ranges_count = sizeof (nonprintable_ranges) / size
/* Convert an UTF-8 buf into a unicode RRune */ /* Convert an UTF-8 buf into a unicode RRune */
R_API int r_utf8_decode (const ut8 *ptr, int ptrlen, RRune *ch) { R_API int r_utf8_decode (const ut8 *ptr, int ptrlen, RRune *ch) {
if (ptrlen<1) if (ptrlen < 1) {
return 0; return 0;
if (ptrlen>0 && ptr[0] < 0x80) { }
if (ptrlen > 0 && ptr[0] < 0x80) {
if (ch) *ch = (ut32)ptr[0]; if (ch) *ch = (ut32)ptr[0];
return 1; return 1;
} else if (ptrlen>1 && (ptr[0]&0xe0) == 0xc0 && (ptr[1]&0xc0) == 0x80) { } else if (ptrlen>1 && (ptr[0]&0xe0) == 0xc0 && (ptr[1]&0xc0) == 0x80) {
@ -277,19 +278,23 @@ R_API int r_utf8_strlen (const ut8 *str) {
} }
R_API int r_isprint (const RRune c) { R_API int r_isprint (const RRune c) {
const last = nonprintable_ranges_count;
int low, hi, mid; int low, hi, mid;
low = 0; low = 0;
hi = nonprintable_ranges_count - 1; hi = last - 1;
do { do {
mid = (low + hi) >> 1; mid = (low + hi) >> 1;
if (c >= nonprintable_ranges[mid].from && c <= nonprintable_ranges[mid].to) if (c >= nonprintable_ranges[mid].from && c <= nonprintable_ranges[mid].to) {
return false; return false;
if (c > nonprintable_ranges[mid].to) }
if (mid < last && c > nonprintable_ranges[mid].to) {
low = mid + 1; low = mid + 1;
if (c < nonprintable_ranges[mid].from) }
if (mid < last && c < nonprintable_ranges[mid].from) {
hi = mid - 1; hi = mid - 1;
}
} while (low <= hi); } while (low <= hi);
return true; return true;