Fix use-after-free in iobank rbtree usage ##io

* See havoc4 bin for reproducer * Reported via huntr.dev by 'Cen Zhang'
radareorg · Jan 6, 2022 · 3789722 · 3789722
1 parent 7cfd367
commit 3789722
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/libr/io/io_bank.c b/libr/io/io_bank.c
@@ -230,7 +230,10 @@ R_API bool r_io_bank_map_add_top(RIO *io, const ut32 bankid, const ut32 mapid) {
 		//delete all submaps that are completly included in sm
 		RRBNode *next = r_rbnode_next (entry);
 		// this can be optimized, there is no need to do search here
-		r_crbtree_delete (bank->submaps, entry->data, _find_sm_by_from_vaddr_cb, NULL);
+		bool a = r_crbtree_delete (bank->submaps, entry->data, _find_sm_by_from_vaddr_cb, NULL);
+		if (!a) {
+			break;
+		}
 		entry = next;
 	}
 	if (entry && r_io_submap_from (((RIOSubMap *)entry->data)) <= r_io_submap_to (sm)) {