Skip to content

Commit

Permalink
Fix oobread and unaligned casts in the NE entrypoint logic ##crash
Browse files Browse the repository at this point in the history 
* Reported by @hmsec via huntr.dev
* Reproducer: nepocaligns
* BountyID: ec538fa4-06c6-4050-a141-f60153ddeaac
  • Loading branch information
@radare @trufae
radare authored and trufae committed Apr 11, 2022
1 parent 6d0bf40 commit 0a55704
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions libr/bin/format/ne/ne.c
View file
Expand Up @@ -408,14 +408,21 @@ RList *r_bin_ne_get_entrypoints(r_bin_ne_obj_t *bin) {
off += 2;
ut8 segnum = *(bin->entry_table + off);
off++;
ut16 segoff = *(ut16 *)(bin->entry_table + off);
if (segnum > 0) {
if (off > bin->ne_header->EntryTableLength) {
break;
}
ut16 segoff = r_read_le16 (bin->entry_table + off);
if (segnum > 0 && segnum < bin->ne_header->SegCount) {
entry->paddr = (ut64)bin->segment_entries[segnum - 1].offset * bin->alignment + segoff;
}
} else { // Fixed
if (off + 2 >= bin->ne_header->EntryTableLength) {
break;
}
ut16 delta = r_read_le16 (bin->entry_table + off);
if (bundle_type < bin->ne_header->SegCount) {
entry->paddr = (ut64)bin->segment_entries[bundle_type - 1].offset
* bin->alignment + *(ut16 *)(bin->entry_table + off);
* bin->alignment + delta;
}
}
off += 2;
Expand Down

0 comments on commit 0a55704

Please sign in to comment.