MIPS disassembler segfault

[radare]

$ lldb -- rasm2 -a mips.cs -d 04110001
Current executable set to 'rasm2' (x86_64).
(lldb) r
Process 96820 launched: '/usr/bin/rasm2' (x86_64)
Process 96820 stopped
* thread #1: tid = 0x54470, 0x000000010100205a libcapstone.dylib`insn_find(m=0x0000000101488bb0, max=<unavailable>, id=0) + 58 at utils.c:30, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x9701488a84)
    frame #0: 0x000000010100205a libcapstone.dylib`insn_find(m=0x0000000101488bb0, max=<unavailable>, id=0) + 58 at utils.c:30
   27
   28       while(begin <= end) {
   29           i = (begin + end) / 2;
-> 30           if (id == m[i].id)
   31               return i;
   32           else if (id < m[i].id)
   33               end = i - 1;
(lldb) bt
* thread #1: tid = 0x54470, 0x000000010100205a libcapstone.dylib`insn_find(m=0x0000000101488bb0, max=<unavailable>, id=0) + 58 at utils.c:30, queue = 'com.apple.main-thread, stop reason = EXC_BAD_ACCESS (code=1, address=0x9701488a84)
    frame #0: 0x000000010100205a libcapstone.dylib`insn_find(m=0x0000000101488bb0, max=<unavailable>, id=0) + 58 at utils.c:30
    frame #1: 0x0000000101033cd0 libcapstone.dylib`Mips_get_insn_id(insn=0x00007fff5fbeb720, id=<unavailable>) + 288 at mapping.c:1410
    frame #2: 0x00000001010016ee libcapstone.dylib`fill_insn(handle=<unavailable>, insn=0x00007fff5fbeb720, buffer=0x00007fff5fbeb518, mci=0x00007fff5fbfcd30, printer=0x0000000000000000, code=0x0000000100501480) + 78 at cs.c:179
    frame #3: 0x00000001010018ec libcapstone.dylib`cs_disasm_dyn(ud=4300216320, buffer=0x0000000100501480, size=4, offset=0, count=1, insn=0x00007fff5fbfd430) + 348 at cs.c:321
    frame #4: 0x00000001003ebd89 asm_mips_cs.dylib`disassemble + 169
    frame #5: 0x00000001000b271e libr_asm.dylib`r_asm_disassemble(a=0x0000000100403900, op=0x00007fff5fbfd500, buf=0x0000000100501480, len=4) + 110 at asm.c:307
    frame #6: 0x00000001000b2c78 libr_asm.dylib`r_asm_mdisassemble(a=0x0000000100403900, buf=0x0000000100501480, len=4) + 440 at asm.c:370
    frame #7: 0x000000010000224d rasm2`rasm_disasm(buf=0x00007fff5fbffd14, offset=0, len=4, bits=32, ascii=0, bin=0, hex=0) + 893 at rasm2.c:101
    frame #8: 0x0000000100001a95 rasm2`main(argc=5, argv=0x00007fff5fbffbe0) + 4149 at rasm2.c:364
    frame #9: 0x00007fff8af065fd libdyld.dylib`start + 1
(lldb) disassemble -p
libcapstone.dylib`insn_find + 58 at utils.c:30:
-> 0x10100205a:  movl   (%rdi,%rcx), %ecx
   0x10100205d:  cmpl   %edx, %ecx
   0x10100205f:  je     0x10100206a               ; insn_find + 74 at utils.c:40
   0x101002061:  leal   -1(%rax), %esi
(lldb) register read
General Purpose Registers:
       rax = 0x000000007fffffff
       rbx = 0x0000000000000258
       rcx = 0x00000095fffffed4           <----- this value is 'i' and that's an out of bounds read op
       rdx = 0x0000000000000000
       rdi = 0x0000000101488bb0  insns
       rsi = 0x00000000ffffffff
       rbp = 0x00007fff5fbeb440
       rsp = 0x00007fff5fbeb440
        r8 = 0x0000000000000000
        r9 = 0x00000000ffffffff
       r10 = 0x001004003200c803
       r11 = 0xfffffffffffee7e0
       r12 = 0x00007fff5fbeb720
       r13 = 0x00007fff5fbfcd30
       r14 = 0x0000000101488bb0  insns
       r15 = 0x00007fff5fbeb518
       rip = 0x000000010100205a  libcapstone.dylib`insn_find + 58 at utils.c:30
    rflags = 0x0000000000010206
        cs = 0x000000000000002b
        fs = 0x0000000000000000
        gs = 0x000000007fff0000

[radare]

This is the commit I did to fix the segfault:

$ git format-patch HEAD^
0001-Fix-MIPS-disassembler-segfault.patch

$ xz < 0001-Fix-MIPS-disassembler-segfault.patch |base64
/Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4AJLAaZdACMcieb23x44dHxFiPxaejNzD3JoPccbVwwO1tEqGGpv0ZXF0HhzcXz1AtvC3TUXZ2Fvl0JlIe7XbH1aAwdidz9eJ00/C5BAqOXVGi48GEQhprL9KGXDqnNjeqINlIWnwG3RW/imyMyrNCaM3ALiq0ZK19XRPP3Ubsrtr4mBbrB9GQL51cKSWhTxDAJoRwLCg5ZrDV+s8tPowXN5CWnK/Lbg4p9/2ggZwbehvNG+f8tqPu7EINs1GTzTkXWmcc5g41ndxCObVW6BCSgs8usdbWNpFAAJzXd+Ze2OzmxYiC6AVFNh82HSq+MxnL901aZ11/Y135ny7nvJYZtUIsVM13m/8U4+Tc3sJOujOa7BlDaMBs2wYOATspr13XgFYv6mIgXVIbTT+niT5Q7UdHG5ZG3Kb6CtStuDMJw2IEOSat+jBcQhVwwNnRWEMHRUNCwBAt4VU9MGCIVwQ5FCi3dAnl/DhRfsi/d1JdFaLou88ccHZPm9IkPTryt6s2s109mWcNva8FhoP+oY2UIg4tscrMwVcTX4N4/WetaJe9DaWdPvjXJg55GKAAAASTTAY6YLP3IAAcIDzAQAANDoR+OxxGf7AgAAAAAEWVo=

$ cat 0001-Fix-MIPS-disassembler-segfault.patch
From 53d23c94ce3062a265e2d11fb222550fd544f481 Mon Sep 17 00:00:00 2001
From: pancake <pancake@nopcode.org>
Date: Fri, 6 Dec 2013 03:55:14 +0100
Subject: [PATCH] Fix MIPS disassembler segfault

---
 utils.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/utils.c b/utils.c
index 539ab14..3f9e968 100644
--- a/utils.c
+++ b/utils.c
@@ -27,6 +27,8 @@ int insn_find(insn_map *m, unsigned int max, unsigned int id)

    while(begin <= end) {
        i = (begin + end) / 2;
+       if (i>=max)
+           return -1;
        if (id == m[i].id)
            return i;
        else if (id < m[i].id)
--
1.8.3.4 (Apple Git-47)

[aquynh]

Pancake, please could you provide the Mips code + arch + mode triggering
this crash, so i can verify if the root cause of the problem?

thanks,
Q

On Fri, Dec 6, 2013 at 10:57 AM, radare notifications@github.com wrote:

This is the commit I did to fix the segfault:

$ cat 0001-Fix-MIPS-disassembler-segfault.patch
From 53d23c94ce3062a265e2d11fb222550fd544f481 Mon Sep 17 00:00:00 2001
From: pancake pancake@nopcode.org
Date: Fri, 6 Dec 2013 03:55:14 +0100
Subject: [PATCH] Fix MIPS disassembler segfault

---

utils.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/utils.c b/utils.c
index 539ab14..3f9e968 100644
--- a/utils.c
+++ b/utils.c
@@ -27,6 +27,8 @@ int insn_find(insn_map *m, unsigned int max, unsigned int id)

while(begin <= end) {
    i = (begin + end) / 2;

•   if (i>=max)
  

•       return -1;
  if (id == m[i].id)
      return i;
  else if (id < m[i].id)
  

  --
  1.8.3.4 (Apple Git-47)

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/26#issuecomment-29959903
.

[radare]

It's already in the description of the bug. See the rasm2 hexpairs

On 06 Dec 2013, at 04:59, Nguyen Anh Quynh notifications@github.com wrote:

Pancake, please could you provide the Mips code + arch + mode triggering
this crash, so i can verify if the root cause of the problem?

thanks,
Q

On Fri, Dec 6, 2013 at 10:57 AM, radare notifications@github.com wrote:

This is the commit I did to fix the segfault:

$ cat 0001-Fix-MIPS-disassembler-segfault.patch
From 53d23c94ce3062a265e2d11fb222550fd544f481 Mon Sep 17 00:00:00 2001
From: pancake pancake@nopcode.org
Date: Fri, 6 Dec 2013 03:55:14 +0100
Subject: [PATCH] Fix MIPS disassembler segfault

---

utils.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/utils.c b/utils.c
index 539ab14..3f9e968 100644
--- a/utils.c
+++ b/utils.c
@@ -27,6 +27,8 @@ int insn_find(insn_map *m, unsigned int max, unsigned int id)

while(begin <= end) {
i = (begin + end) / 2;

• if (i>=max)

• return -1;
  if (id == m[i].id)
  return i;
  else if (id < m[i].id)

  1.8.3.4 (Apple Git-47)

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/26#issuecomment-29959903
.

—
Reply to this email directly or view it on GitHub.

[radare]

Please review/apply this patch before release