Skip to content

Commit

Permalink
Fix oobread in NE parser ##crash
Browse files Browse the repository at this point in the history 
* Reported by @hmsec via huntr.dev
* Reproducer: necrash
* BountyID: 52b57274-0e1a-4d61-ab29-1373b555fea0/
  • Loading branch information
@trufae
trufae committed Apr 8, 2022
1 parent 18d1d06 commit 153bcdc
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 13 deletions.
19 changes: 6 additions & 13 deletions libr/bin/format/ne/ne.c
View file
@@ -1,7 +1,6 @@
/* radare - LGPL - Copyright 2019-2022 - GustavoLCR */

#include "ne.h"
#define NE_BUG 0

static char *__get_target_os(r_bin_ne_obj_t *bin) {
switch (bin->ne_header->targOS) {
Expand Down Expand Up @@ -505,25 +504,18 @@ RList *r_bin_ne_get_relocs(r_bin_ne_obj_t *bin) {
free (reloc);
break;
}
char *name;
#if NE_BUG
if (rel.index > 0 && rel.index < bin->ne_header->ModRefs) {
offset = modref[rel.index - 1] + bin->header_offset + bin->ne_header->ImportNameTable;
name = __read_nonnull_str_at (bin->buf, offset);
} else {
name = r_str_newf ("UnknownModule%d_%x", rel.index, off); // ????
}
#else
char *name = NULL;
if (rel.index > bin->ne_header->ModRefs) {
name = r_str_newf ("UnknownModule%d_%x", rel.index, off); // ????
} else {
} else if (rel.index > 0) {
offset = modref[rel.index - 1] + bin->header_offset + bin->ne_header->ImportNameTable;
name = __read_nonnull_str_at (bin->buf, offset);
}
#endif
if (rel.flags & IMPORTED_ORD) {
imp->ordinal = rel.func_ord;
imp->name = r_str_newf ("%s.%s", name, __func_name_from_ord(name, rel.func_ord));
char *fname = __func_name_from_ord (name, rel.func_ord);
imp->name = r_str_newf ("%s.%s", name, fname);
free (fname);
} else {
offset = bin->header_offset + bin->ne_header->ImportNameTable + rel.name_off;
char *func = __read_nonnull_str_at (bin->buf, offset);
Expand Down Expand Up @@ -566,6 +558,7 @@ RList *r_bin_ne_get_relocs(r_bin_ne_obj_t *bin) {
r_list_append (relocs, reloc);
} else {
do {
#define NE_BUG 0
#if NE_BUG
if (reloc->paddr + 4 < r_buf_size (bin->buf)) {
break;
Expand Down
14 changes: 14 additions & 0 deletions test/db/formats/ne
View file
@@ -1,3 +1,17 @@
NAME=NE crash
FILE=bins/ne/necrash
CMDS=<<EOF
aaa
i~format
i~csum
aflc
EOF
EXPECT=<<EOF
format ne
hdr.csum c258016a
0
EOF
RUN
NAME=NE Symbols
FILE=bins/ne/anim8.exe
CMDS=is
Expand Down

0 comments on commit 153bcdc

Please sign in to comment.