Fix ANSI injection vulnerability in pd and pdj ##disasm

libr/core/cbin.c

@@ -1876,7 +1876,7 @@ static int bin_symbols(RCore *r, int mode, ut64 laddr, int va, ut64 at, const ch
 		if (!symbol->name) {
 			continue;
 		}
-		char *r_symbol_name = r_str_escape (symbol->name);
+		char *r_symbol_name = r_str_escape_utf8_to_json (symbol->name, -1);
 		ut64 addr = symbol->paddr == UT64_MAX ? symbol->vaddr : rva (r->bin, symbol->paddr, symbol->vaddr, va);
 		int len = symbol->size ? symbol->size : 32;
 		SymName sn = {0};

libr/core/disasm.c

@@ -2093,17 +2093,17 @@ static void ds_show_flags(RDisasmState *ds) {
 			} else {
 				const char *lang = r_config_get (core->config, "bin.lang");
 				char *name = r_bin_demangle (core->bin->cur, lang, flag->realname, flag->offset);
-				if (name || !ds->use_json) {
-					r_cons_print (name ? name : flag->realname);
-				} else {
-					char *name_out = r_str_escape (flag->realname);
-					if (name_out) {
-						r_cons_print (name_out);
-						free (name_out);
+				if (!name) {
+					const char *n = flag->realname? flag->realname: flag->name;
+					if (n) {
+						name = strdup (n);
 					}
 				}
-				r_cons_print (":");
-				R_FREE (name);
+				if (name) {
+					r_str_ansi_filter (name, NULL, NULL, -1);
+					r_cons_printf ("%s:", name);
+					R_FREE (name);
+				}
 			}
 		} else {
 			r_cons_printf ("%s:", flag->name);

libr/util/str.c

@@ -1196,20 +1196,16 @@ static void r_str_byte_escape(const char *p, char **dst, int dot_nl, bool defaul
 /* Internal function. dot_nl specifies wheter to convert \n into the
  * graphiz-compatible newline \l */
 static char *r_str_escape_(const char *buf, int dot_nl, bool parse_esc_seq, bool ign_esc_seq, bool show_asciidot, bool esc_bslash) {
-	char *new_buf, *q;
-	const char *p;
+	r_return_val_if_fail (buf, NULL);
 
-	if (!buf) {
-		return NULL;
-	}
 	/* Worst case scenario, we convert every byte to a single-char escape
 	 * (e.g. \n) if show_asciidot, or \xhh if !show_asciidot */
-	new_buf = malloc (1 + strlen (buf) * (show_asciidot ? 2 : 4));
+	char *new_buf = malloc (1 + strlen (buf) * (show_asciidot ? 2 : 4));
 	if (!new_buf) {
 		return NULL;
 	}
-	p = buf;
-	q = new_buf;
+	const char *p = buf;
+	char *q = new_buf;
 	while (*p) {
 		switch (*p) {
 		case 0x1b: // ESC
@@ -1529,9 +1525,14 @@ R_API int r_str_ansi_filter(char *str, char **out, int **cposs, int len) {
 	}
 
 	for (i = j = 0; i < len; i++) {
-		if ((i + 1) < len && tmp[i] == 0x1b && tmp[i + 1] == '[') {
-			for (i += 2; i < len && str[i] != 'J' && str[i] != 'm' && str[i] != 'H'; i++) {
+		if (tmp[i] == 0x1b) {
+			if ((i + 1) < len && tmp[i + 1] == '[') {
+				for (i += 2; i < len && str[i] != 'J' && str[i] != 'm' && str[i] != 'H'; i++) {
 				;
+				}
+			}
+			if (tmp[i + 1] == '#' && isdigit (tmp[i + 2])  && tmp[i + 3]) {
+				i += 3;
 			}
 		} else {
 			str[j] = tmp[i];