Skip to content
Permalink
Browse files

Fix #7698 - UAF in r_config_set when loading a dex

  • Loading branch information...
radare committed Jun 7, 2017
1 parent bcdbfca commit f85bc674b2a2256a364fe796351bc1971e106005
Showing with 8 additions and 4 deletions.
  1. +2 −1 libr/config/config.c
  2. +6 −3 libr/core/cbin.c
@@ -388,8 +388,9 @@ R_API RConfigNode* r_config_set(RConfig *cfg, const char *name, const char *valu
if (node->value == value) {
goto beach;
}
free (node->value);
char *tmp = node->value;
node->value = strdup (value);
free (tmp);
if (IS_DIGIT (*value)) {
if (strchr (value, '/')) {
node->i_value = r_num_get (cfg->num, value);
@@ -96,7 +96,8 @@ R_API int r_core_bin_set_env(RCore *r, RBinFile *binfile) {
RBinInfo *info = binobj ? binobj->info: NULL;
if (info) {
int va = info->has_va;
const char * arch = info->arch;
char * arch = strdup(info->arch);
char * cpu = info->cpu? strdup(info->cpu): NULL;
ut16 bits = info->bits;
ut64 baseaddr = r_bin_get_baddr (r->bin);
/* Hack to make baddr work on some corner */
@@ -106,14 +107,16 @@ R_API int r_core_bin_set_env(RCore *r, RBinFile *binfile) {
r_config_set (r->config, "asm.arch", arch);
r_config_set_i (r->config, "asm.bits", bits);
r_config_set (r->config, "anal.arch", arch);
if (info->cpu && *info->cpu) {
r_config_set (r->config, "anal.cpu", info->cpu);
if (cpu && *cpu) {
r_config_set (r->config, "anal.cpu", cpu);
} else {
r_config_set (r->config, "anal.cpu", arch);
}
r_asm_use (r->assembler, arch);
r_core_bin_info (r, R_CORE_BIN_ACC_ALL, R_CORE_BIN_SET, va, NULL, NULL);
r_core_bin_set_cur (r, binfile);
free (cpu);
free (arch);
return true;
}
return false;

0 comments on commit f85bc67

Please sign in to comment.
You can’t perform that action at this time.