Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix crash in vtable analysis on UB ##crash
* Reported by @GreaterGoodest via huntrdev
* BountyID 0730a95e-c485-4ff2-9a5d-bb3abfda0b17
* Reproducer: minified_crash
  • Loading branch information
radare authored and trufae committed May 21, 2022
1 parent 6f6ea27 commit 919e3ac
Showing 1 changed file with 8 additions and 10 deletions.
18 changes: 8 additions & 10 deletions libr/anal/vtable.c
Expand Up @@ -58,6 +58,8 @@ R_API bool r_anal_vtable_begin(RAnal *anal, RVTableContext *context) {
context->read_addr = be? vtable_read_addr_be64 : vtable_read_addr_le64;
break;
default:
// cant be null. assume 32bit "->read_addr = NULL;
context->read_addr = be? vtable_read_addr_be32 : vtable_read_addr_le32;
return false;
}
return true;
Expand All @@ -72,7 +74,7 @@ static bool vtable_addr_in_text_section(RVTableContext *context, ut64 curAddress

static bool vtable_is_value_in_text_section(RVTableContext *context, ut64 curAddress, ut64 *value) {
//value at the current address
ut64 curAddressValue;
ut64 curAddressValue = UT64_MAX;
if (!context->read_addr (context->anal, curAddress, &curAddressValue)) {
return false;
}
Expand Down Expand Up @@ -132,6 +134,7 @@ static bool vtable_is_addr_vtable_start_itanium(RVTableContext *context, RBinSec
}

static bool vtable_is_addr_vtable_start_msvc(RVTableContext *context, ut64 curAddress) {
ut8 buf[VTABLE_BUFF_SIZE];
RAnalRef *xref;
RListIter *xrefIter;

Expand All @@ -150,19 +153,14 @@ static bool vtable_is_addr_vtable_start_msvc(RVTableContext *context, ut64 curAd
r_list_foreach (xrefs, xrefIter, xref) {
// section in which currenct xref lies
if (vtable_addr_in_text_section (context, xref->addr)) {
ut8 buf[VTABLE_BUFF_SIZE];
context->anal->iob.read_at (context->anal->iob.io, xref->addr, buf, sizeof(buf));

context->anal->iob.read_at (context->anal->iob.io, xref->addr, buf, sizeof (buf));
RAnalOp analop = {0};
r_anal_op (context->anal, &analop, xref->addr, buf, sizeof(buf), R_ANAL_OP_MASK_BASIC);

if (analop.type == R_ANAL_OP_TYPE_MOV
|| analop.type == R_ANAL_OP_TYPE_LEA) {
r_anal_op (context->anal, &analop, xref->addr, buf, sizeof (buf), R_ANAL_OP_MASK_BASIC);
if (analop.type == R_ANAL_OP_TYPE_MOV || analop.type == R_ANAL_OP_TYPE_LEA) {
r_list_free (xrefs);
r_anal_op_fini (&analop);
return true;
}

r_anal_op_fini (&analop);
}
}
Expand Down Expand Up @@ -286,7 +284,7 @@ R_API RList *r_anal_vtable_search(RVTableContext *context) {
}

R_API void r_anal_list_vtables(RAnal *anal, int rad) {
RVTableContext context;
RVTableContext context = {0};
r_anal_vtable_begin (anal, &context);

const char *noMethodName = "No Name found";
Expand Down

0 comments on commit 919e3ac

Please sign in to comment.