From 37897226a1a31f982bfefdc4aeefc2e50355c73c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergi=20=C3=80lvarez=20i=20Capilla?= <pancake@nowsecure.com>
Date: Thu, 6 Jan 2022 19:33:28 +0100
Subject: [PATCH] Fix use-after-free in iobank rbtree usage ##io

* See havoc4 bin for reproducer
* Reported via huntr.dev by 'Cen Zhang'
---
 libr/io/io_bank.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libr/io/io_bank.c b/libr/io/io_bank.c
index 228e422d65633..882dfc48d18f0 100644
--- a/libr/io/io_bank.c
+++ b/libr/io/io_bank.c
@@ -230,7 +230,10 @@ R_API bool r_io_bank_map_add_top(RIO *io, const ut32 bankid, const ut32 mapid) {
 		//delete all submaps that are completly included in sm
 		RRBNode *next = r_rbnode_next (entry);
 		// this can be optimized, there is no need to do search here
-		r_crbtree_delete (bank->submaps, entry->data, _find_sm_by_from_vaddr_cb, NULL);
+		bool a = r_crbtree_delete (bank->submaps, entry->data, _find_sm_by_from_vaddr_cb, NULL);
+		if (!a) {
+			break;
+		}
 		entry = next;
 	}
 	if (entry && r_io_submap_from (((RIOSubMap *)entry->data)) <= r_io_submap_to (sm)) {