From 153bcdc29f11cd8c90e7d639a7405450f644ddb6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergi=20=C3=80lvarez=20i=20Capilla?= <pancake@nowsecure.com>
Date: Fri, 8 Apr 2022 20:14:32 +0200
Subject: [PATCH] Fix oobread in NE parser ##crash

* Reported by @hmsec via huntr.dev
* Reproducer: necrash
* BountyID: 52b57274-0e1a-4d61-ab29-1373b555fea0/
---
 libr/bin/format/ne/ne.c | 19 ++++++-------------
 test/db/formats/ne      | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/libr/bin/format/ne/ne.c b/libr/bin/format/ne/ne.c
index ee2df871ac87b..b907d56e93b17 100644
--- a/libr/bin/format/ne/ne.c
+++ b/libr/bin/format/ne/ne.c
@@ -1,7 +1,6 @@
 /* radare - LGPL - Copyright 2019-2022 - GustavoLCR */
 
 #include "ne.h"
-#define NE_BUG 0
 
 static char *__get_target_os(r_bin_ne_obj_t *bin) {
 	switch (bin->ne_header->targOS) {
@@ -505,25 +504,18 @@ RList *r_bin_ne_get_relocs(r_bin_ne_obj_t *bin) {
 					free (reloc);
 					break;
 				}
-				char *name;
-#if NE_BUG
-				if (rel.index > 0 && rel.index < bin->ne_header->ModRefs) {
-					offset = modref[rel.index - 1] + bin->header_offset + bin->ne_header->ImportNameTable;
-					name = __read_nonnull_str_at (bin->buf, offset);
-				} else {
-					name = r_str_newf ("UnknownModule%d_%x", rel.index, off); // ????
-				}
-#else
+				char *name = NULL;
 				if (rel.index > bin->ne_header->ModRefs) {
 					name = r_str_newf ("UnknownModule%d_%x", rel.index, off); // ????
-				} else {
+				} else if (rel.index > 0) {
 					offset = modref[rel.index - 1] + bin->header_offset + bin->ne_header->ImportNameTable;
 					name = __read_nonnull_str_at (bin->buf, offset);
 				}
-#endif
 				if (rel.flags & IMPORTED_ORD) {
 					imp->ordinal = rel.func_ord;
-					imp->name = r_str_newf ("%s.%s", name, __func_name_from_ord(name, rel.func_ord));
+					char *fname = __func_name_from_ord (name, rel.func_ord);
+					imp->name = r_str_newf ("%s.%s", name, fname);
+					free (fname);
 				} else {
 					offset = bin->header_offset + bin->ne_header->ImportNameTable + rel.name_off;
 					char *func = __read_nonnull_str_at (bin->buf, offset);
@@ -566,6 +558,7 @@ RList *r_bin_ne_get_relocs(r_bin_ne_obj_t *bin) {
 				r_list_append (relocs, reloc);
 			} else {
 				do {
+#define NE_BUG 0
 #if NE_BUG
 					if (reloc->paddr + 4 < r_buf_size (bin->buf)) {
 						break;
diff --git a/test/db/formats/ne b/test/db/formats/ne
index 7b68344414dce..b71f29469b5d4 100644
--- a/test/db/formats/ne
+++ b/test/db/formats/ne
@@ -1,3 +1,17 @@
+NAME=NE crash
+FILE=bins/ne/necrash
+CMDS=<<EOF
+aaa
+i~format
+i~csum
+aflc
+EOF
+EXPECT=<<EOF
+format   ne
+hdr.csum c258016a
+0
+EOF
+RUN
 NAME=NE Symbols
 FILE=bins/ne/anim8.exe
 CMDS=is