Fix #22767 - Some UB when malloc(0) in RBuffer api ##crash

libr/core/cio.c

@@ -159,9 +159,11 @@ R_API ut8* r_core_transform_op(RCore *core, const char *arg, char op) {
 			len = xlen;
 		} else {  // use clipboard as key
 			const ut8 *tmp = r_buf_data (core->yank_buf, &len);
-			str = r_mem_dup (tmp, len);
+			if (tmp && len > 0) {
-			if (!str) {
+				str = r_mem_dup (tmp, len);
-				goto beach;
+				if (!str) {
+					goto beach;
+				}
 			}
 		}
 	} else {

libr/util/buf_bytes.c

@@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2009-2020 - ret2libc */
+/* radare - LGPL - Copyright 2009-2024 - ret2libc */
 
 #include <r_util.h>
 
@@ -35,14 +35,26 @@ static bool buf_bytes_init(RBuffer *b, const void *user) {
 		priv->buf = (ut8 *)u->data_steal;
 		priv->is_bufowner = u->steal;
 	} else {
-		priv->buf = malloc (priv->length);
+#if 0
+		size_t length = priv->length > 0? priv->length: 1;
+		priv->buf = malloc (length);
 		if (!priv->buf) {
 			free (priv);
 			return false;
 		}
-		if (priv->length) {
+		if (priv->length > 0) {
 			memmove (priv->buf, u->data, priv->length);
 		}
+#else
+		if (priv->length > 0) {
+			priv->buf = malloc (priv->length);
+			if (!priv->buf) {
+				free (priv);
+				return false;
+			}
+			memmove (priv->buf, u->data, priv->length);
+		}
+#endif
 		priv->is_bufowner = true;
 	}
 	b->priv = priv;

libr/util/mem.c

@@ -303,9 +303,12 @@ R_API bool r_mem_protect(void *ptr, int size, const char *prot) {
 
 R_API void *r_mem_dup(const void *s, int l) {
 	r_return_val_if_fail (s, NULL);
-	void *d = malloc (l);
+	void *d = NULL;
-	if (d != NULL) {
+	if (l > 0) {
-		memcpy (d, s, l);
+		d = malloc (l);
+		if (d != NULL) {
+			memcpy (d, s, l);
+		}
 	}
 	return d;
 }