Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed nasty segfault in vasm.c #10785

Merged
merged 2 commits into from Jul 23, 2018
Merged

Fixed nasty segfault in vasm.c #10785

merged 2 commits into from Jul 23, 2018

Conversation

cyanpencil
Copy link
Contributor

Thanks to @Maijin that reported it!

This fixes the following segfault:

To reproduce: If you go to visual assemble and type:
jmp $$; jmp $$; jmp $$; ...
at the 1100th character typed or so you'll get a buffer overflow and a segfault

radare
radare reviewed Jul 20, 2018
View reviewed changes
Copy link
Collaborator

@radare radare left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may get rid of this fixed size buffer at some point

libr/core/vasm.c Outdated
@@ -40,7 +42,7 @@ static int readline_callback(void *_a, const char *str) {
if (a->acode) {
xlen = strlen (a->acode->buf_hex);
strcpy (a->codebuf, a->blockbuf);
memcpy (a->codebuf, a->acode->buf_hex, xlen);
memcpy (a->codebuf, a->acode->buf_hex, R_MIN (xlen, R_VISUAL_ASM_BUFSIZE - 1));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will not be null terminated. Asan may complain

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, you're totally right ^^ Should be fixed now

@Maijin Maijin added the bug label Jul 20, 2018
@Maijin Maijin added this to the 2.8.0 milestone Jul 20, 2018
XVilka
XVilka reviewed Jul 23, 2018
View reviewed changes
libr/core/vasm.c
strcpy (a->codebuf, a->blockbuf);
memcpy (a->codebuf, a->acode->buf_hex, xlen);
if (xlen >= strlen (a->blockbuf)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't looks right. It is OOB write if xlen > strlen (a->codebuf). Please handle this case too.

@XVilka XVilka merged commit 008354f into radareorg:master Jul 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@XVilka XVilka XVilka left review comments

@radare radare radare left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.8.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@cyanpencil @XVilka @radare @Maijin