Fix radareorg#19178 - UAF in aaft when anal.detectwrites is enabled #…

…#crash
aemmitt-ns · Jan 26, 2022 · 76c72b2 · 76c72b2
1 parent 71557ca
commit 76c72b2
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/libr/core/anal_tp.c b/libr/core/anal_tp.c
@@ -555,10 +555,29 @@ R_API void r_core_anal_type_match(RCore *core, RAnalFunction *fcn) {
 	if (!_pc) {
 		return;
 	}
+	int retries = 2;
 	char *pc = strdup (_pc);
 	r_cons_break_push (NULL, NULL);
+repeat:
+	if (retries < 0) {
+		return;
+	}
 	r_list_sort (fcn->bbs, bb_cmpaddr); // TODO: The algorithm can be more accurate if blocks are followed by their jmp/fail, not just by address
+	// TODO: Use ut64
+	size_t bblist_size = r_list_length (fcn->bbs);
+	ut64 *bblist = calloc (sizeof (ut64), bblist_size + 1);
+	int i = 0;
 	r_list_foreach (fcn->bbs, it, bb) {
+		bblist[i++] = bb->addr;
+	}
+	for (i = 0; i < bblist_size; i++) {
+		bb = r_anal_get_block_at (core->anal, bblist[i]);
+		if (!bb) {
+			eprintf ("Warning: basic block at 0x%08"PFMT64x" was removed during analysis.\n", bblist[i]);
+			retries--;
+			free (bblist);
+			goto repeat;
+		}
 		ut64 addr = bb->addr;
 		ut8 *buf = calloc (bb->size + 32, 1);
 		if (!buf) {
@@ -801,6 +820,7 @@ R_API void r_core_anal_type_match(RCore *core, RAnalFunction *fcn) {
 		}
 		free (buf);
 	}
+	free (bblist);
 	// Type propgation for register based args
 	RList *list = r_anal_var_list (anal, fcn, R_ANAL_VAR_KIND_REG);
 	RAnalVar *rvar;