Heap out of bounds read in java_switch_op()

[fumfel]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	Ubuntu 18.04 x64
File format of the file you reverse (mandatory)	Java Class
Architecture/bits of the file (mandatory)	N/A
r2 -v full output, not truncated (mandatory)	radare2 2.7.0-git 18328 @ linux-x86-64 git.2.6.0-153-g555e88a commit: 555e88a build: 2018-06-08__08:53:22

Expected behavior

Disassembly of file or error message.

Actual behavior

Heap out of bounds read in ASAN build.

Steps to reproduce the behavior

• Download https://github.com/radare/radare2-regressions/pull/1342
• Run: r2 -A r2_hoobr_java_switch_op

Additional Logs, screenshots, source-code, configuration dump, ...

===29956==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6110000053c0 at pc 0x7f95225e2a77 bp 0x7fff73fee260 sp 0x7fff73fee250
READ of size 1 at 0x6110000053c0 thread T0
    #0 0x7f95225e2a76 in java_switch_op XYZ/radare2/libr/..//libr/anal/p/anal_java.c:686
    #1 0x7f95225e2a76 in java_op XYZ/radare2/libr/..//libr/anal/p/anal_java.c:736
    #2 0x7f95226d8d64 in r_anal_op XYZ/radare2/libr/anal/op.c:106
    #3 0x7f9524f3c6cc in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:3122
    #4 0x7f9524c77931 in r_core_anal_refs XYZ/radare2/libr/core/cmd_anal.c:6277
    #5 0x7f9524d69763 in cmd_anal_all XYZ/radare2/libr/core/cmd_anal.c:6673
    #6 0x7f9524d69763 in cmd_anal XYZ/radare2/libr/core/cmd_anal.c:7023
    #7 0x7f9524f04527 in r_cmd_call XYZ/radare2/libr/core/cmd_api.c:237
    #8 0x7f9524dec4ae in r_core_cmd_subst_i XYZ/radare2/libr/core/cmd.c:2700
    #9 0x7f9524ca43c0 in r_core_cmd_subst XYZ/radare2/libr/core/cmd.c:1753
    #10 0x7f9524ca64c7 in r_core_cmd XYZ/radare2/libr/core/cmd.c:3402
    #11 0x56535074c60e in main XYZ/radare2/binr/radare2/radare2.c:1290
    #12 0x7f951e4fc82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x5653507513f8 in _start (/usr/local/bin/radare2+0x113f8)

0x6110000053c0 is located 0 bytes to the right of 256-byte region [0x6110000052c0,0x6110000053c0)
allocated by thread T0 here:
    #0 0x7f952548a602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x7f9524f3c174 in r_core_anal_search_xrefs XYZ/radare2/libr/core/canal.c:3084

SUMMARY: AddressSanitizer: heap-buffer-overflow XYZ/radare2/libr/..//libr/anal/p/anal_java.c:686 java_switch_op
Shadow bytes around the buggy address:
  0x0c227fff8a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff8a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8a50: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff8a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff8a70: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c227fff8a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff8a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c227fff8aa0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff8ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff8ac0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==29956==ABORTING