Fix #22767 - Some UB when malloc(0) in RBuffer api ##crash

2025-02-25 16:51:30 +00:00 · 2024-03-30 12:07:33 +01:00 · 2024-03-30 12:07:33 +01:00 · ff2f2a312b
commit ff2f2a312b
parent 8644a29556
3 changed files with 26 additions and 9 deletions
--- a/libr/core/cio.c
+++ b/libr/core/cio.c
@ -159,9 +159,11 @@ R_API ut8* r_core_transform_op(RCore *core, const char *arg, char op) {
 			len = xlen;
 		} else {  // use clipboard as key
 			const ut8 *tmp = r_buf_data (core->yank_buf, &len);
-			str = r_mem_dup (tmp, len);
-			if (!str) {
-				goto beach;
+			if (tmp && len > 0) {
+				str = r_mem_dup (tmp, len);
+				if (!str) {
+					goto beach;
+				}
 			}
 		}
 	} else {
--- a/libr/util/buf_bytes.c
+++ b/libr/util/buf_bytes.c
@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2009-2020 - ret2libc */
+/* radare - LGPL - Copyright 2009-2024 - ret2libc */

 #include <r_util.h>

@ -35,14 +35,26 @@ static bool buf_bytes_init(RBuffer *b, const void *user) {
 		priv->buf = (ut8 *)u->data_steal;
 		priv->is_bufowner = u->steal;
 	} else {
-		priv->buf = malloc (priv->length);
+#if 0
+		size_t length = priv->length > 0? priv->length: 1;
+		priv->buf = malloc (length);
 		if (!priv->buf) {
 			free (priv);
 			return false;
 		}
-		if (priv->length) {
+		if (priv->length > 0) {
 			memmove (priv->buf, u->data, priv->length);
 		}
+#else
+		if (priv->length > 0) {
+			priv->buf = malloc (priv->length);
+			if (!priv->buf) {
+				free (priv);
+				return false;
+			}
+			memmove (priv->buf, u->data, priv->length);
+		}
+#endif
 		priv->is_bufowner = true;
 	}
 	b->priv = priv;
--- a/libr/util/mem.c
+++ b/libr/util/mem.c
@ -303,9 +303,12 @@ R_API bool r_mem_protect(void *ptr, int size, const char *prot) {

 R_API void *r_mem_dup(const void *s, int l) {
 	r_return_val_if_fail (s, NULL);
-	void *d = malloc (l);
-	if (d != NULL) {
-		memcpy (d, s, l);
+	void *d = NULL;
+	if (l > 0) {
+		d = malloc (l);
+		if (d != NULL) {
+			memcpy (d, s, l);
+		}
 	}
 	return d;
 }