Avoid a few out-of-bounds reads

* When "omr" is called without any arguments + instead just do nothing * in string_scan_range * unbounded pdj now works under ASAN. + But what did the +5 do there? * on px/ without arguments
2024-12-03 02:41:08 +00:00 · 2014-08-25 22:56:47 +02:00 · 2014-08-25 22:56:47 +02:00 · ed2470bc2c
commit ed2470bc2c
parent 109406d799
4 changed files with 11 additions and 4 deletions
--- a/libr/bin/bin.c
+++ b/libr/bin/bin.c
@ -129,7 +129,8 @@ static int string_scan_range (RList *list, const ut8 *buf, int min, const ut64 f
 		str_type = type;

 		if (str_type == R_STRING_TYPE_DETECT) {
-			if (buf[needle+rc+0] == 0x00 &&
+			if (needle+rc+2 < to &&
+				buf[needle+rc+0] == 0x00 &&
 				buf[needle+rc+1] != 0x00 &&
 				buf[needle+rc+2] == 0x00)
 				str_type = R_STRING_TYPE_WIDE;
--- a/libr/core/cmd_open.c
+++ b/libr/core/cmd_open.c
@ -164,7 +164,10 @@ static int cmd_open(void *data, const char *input) {
 		case 'r':
 			{
 			ut64 cur, new;
-			const char *p = strchr (input+3, ' ');
+			const char *p;
+			if (input[2] != ' ')
+				break;
+			p = strchr (input+3, ' ');
 			if (p) {
 				cur = r_num_math (core->num, input+3);
 				new = r_num_math (core->num, p+1);
--- a/libr/core/cmd_print.c
+++ b/libr/core/cmd_print.c
@ -300,6 +300,9 @@ R_API void r_core_print_examine(RCore *core, const char *str) {
 	if (count<1) count = 1;
 	// skipsapces
 	while (*str>='0' && *str<='9') str++;
+
+	// "px/" alone isn't a full command.
+	if (!str[0]) return;
 #if 0
 Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes).
 #endif
--- a/libr/core/disasm.c
+++ b/libr/core/disasm.c
@ -1955,7 +1955,7 @@ R_API int r_core_print_disasm_json(RCore *core, ut64 addr, ut8 *buf, int nb_byte
 		ut64 at = addr +i;
 		char *escaped_str = NULL;
 		r_asm_set_pc (core->assembler, at);
-		ret = r_asm_disassemble (core->assembler, &asmop, buf+i, nb_bytes-i+5);
+		ret = r_asm_disassemble (core->assembler, &asmop, buf+i, nb_bytes-i);
 		if (ret<1) {
 			r_cons_printf (i>0? ",{": "{");
 			r_cons_printf ("\"offset\":%"PFMT64d, at);
@ -1963,7 +1963,7 @@ R_API int r_core_print_disasm_json(RCore *core, ut64 addr, ut8 *buf, int nb_byte
 			i++;
 			continue;
 		}
-		r_anal_op (core->anal, &analop, at, buf+i, nb_bytes-i+5);
+		r_anal_op (core->anal, &analop, at, buf+i, nb_bytes-i);

 		oplen = r_asm_op_get_size (&asmop);
 		r_cons_printf (i>0? ",{": "{");