From 919e3ac1a13f753c73e7a8e8d8bb4a143218732d Mon Sep 17 00:00:00 2001
From: pancake <pancake@nopcode.org>
Date: Sat, 21 May 2022 22:13:32 +0200
Subject: [PATCH] Fix crash in vtable analysis on UB ##crash

* Reported by @greatergoodest via huntrdev
* BountyID 0730a95e-c485-4ff2-9a5d-bb3abfda0b17
* Reproducer: minified_crash
---
 libr/anal/vtable.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/libr/anal/vtable.c b/libr/anal/vtable.c
index d3be434800df1..b819c8d693e33 100644
--- a/libr/anal/vtable.c
+++ b/libr/anal/vtable.c
@@ -58,6 +58,8 @@ R_API bool r_anal_vtable_begin(RAnal *anal, RVTableContext *context) {
 		context->read_addr = be? vtable_read_addr_be64 : vtable_read_addr_le64;
 		break;
 	default:
+		// cant be null. assume 32bit "->read_addr = NULL;
+		context->read_addr = be? vtable_read_addr_be32 : vtable_read_addr_le32;
 		return false;
 	}
 	return true;
@@ -72,7 +74,7 @@ static bool vtable_addr_in_text_section(RVTableContext *context, ut64 curAddress
 
 static bool vtable_is_value_in_text_section(RVTableContext *context, ut64 curAddress, ut64 *value) {
 	//value at the current address
-	ut64 curAddressValue;
+	ut64 curAddressValue = UT64_MAX;
 	if (!context->read_addr (context->anal, curAddress, &curAddressValue)) {
 		return false;
 	}
@@ -132,6 +134,7 @@ static bool vtable_is_addr_vtable_start_itanium(RVTableContext *context, RBinSec
 }
 
 static bool vtable_is_addr_vtable_start_msvc(RVTableContext *context, ut64 curAddress) {
+	ut8 buf[VTABLE_BUFF_SIZE];
 	RAnalRef *xref;
 	RListIter *xrefIter;
 
@@ -150,19 +153,14 @@ static bool vtable_is_addr_vtable_start_msvc(RVTableContext *context, ut64 curAd
 	r_list_foreach (xrefs, xrefIter, xref) {
 		// section in which currenct xref lies
 		if (vtable_addr_in_text_section (context, xref->addr)) {
-			ut8 buf[VTABLE_BUFF_SIZE];
-			context->anal->iob.read_at (context->anal->iob.io, xref->addr, buf, sizeof(buf));
-
+			context->anal->iob.read_at (context->anal->iob.io, xref->addr, buf, sizeof (buf));
 			RAnalOp analop = {0};
-			r_anal_op (context->anal, &analop, xref->addr, buf, sizeof(buf), R_ANAL_OP_MASK_BASIC);
-
-			if (analop.type == R_ANAL_OP_TYPE_MOV
-				|| analop.type == R_ANAL_OP_TYPE_LEA) {
+			r_anal_op (context->anal, &analop, xref->addr, buf, sizeof (buf), R_ANAL_OP_MASK_BASIC);
+			if (analop.type == R_ANAL_OP_TYPE_MOV || analop.type == R_ANAL_OP_TYPE_LEA) {
 				r_list_free (xrefs);
 				r_anal_op_fini (&analop);
 				return true;
 			}
-
 			r_anal_op_fini (&analop);
 		}
 	}
@@ -286,7 +284,7 @@ R_API RList *r_anal_vtable_search(RVTableContext *context) {
 }
 
 R_API void r_anal_list_vtables(RAnal *anal, int rad) {
-	RVTableContext context;
+	RVTableContext context = {0};
 	r_anal_vtable_begin (anal, &context);
 
 	const char *noMethodName = "No Name found";