Skip to content

Commit 193f4fe

Browse files
authored
Fix integer overflow in string search causing oobread ##crash
* Reported by @GreaterGoodest via huntrdev * BountyID: 8a3dc5cb-08b3-4807-82b2-77f08c137a04 * Reproducer bfileovf
1 parent eca58ce commit 193f4fe

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

Diff for: libr/bin/bfile.c

+6-6
Original file line numberDiff line numberDiff line change
@@ -178,27 +178,27 @@ static int string_scan_range(RList *list, RBinFile *bf, int min,
178178
free (charset);
179179
RConsIsBreaked is_breaked = (bin && bin->consb.is_breaked)? bin->consb.is_breaked: NULL;
180180
// may oobread
181-
while (needle < to) {
181+
while (needle < to && needle < UT64_MAX - 4) {
182182
if (is_breaked && is_breaked ()) {
183183
break;
184184
}
185185
// smol optimization
186-
if (needle + 4 < to) {
187-
ut32 n1 = r_read_le32 (buf + needle - from);
186+
if (needle < to - 4) {
187+
ut32 n1 = r_read_le32 (buf + (needle - from));
188188
if (!n1) {
189189
needle += 4;
190190
continue;
191191
}
192192
}
193-
rc = r_utf8_decode (buf + needle - from, to - needle, NULL);
193+
rc = r_utf8_decode (buf + (needle - from), to - needle, NULL);
194194
if (!rc) {
195195
needle++;
196196
continue;
197197
}
198198
bool addr_aligned = !(needle % 4);
199199

200200
if (type == R_STRING_TYPE_DETECT) {
201-
char *w = (char *)buf + needle + rc - from;
201+
char *w = (char *)buf + (needle + rc - from);
202202
if (((to - needle) > 8 + rc)) {
203203
// TODO: support le and be
204204
bool is_wide32le = (needle + rc + 2 < to) && (!w[0] && !w[1] && !w[2] && w[3] && !w[4]);
@@ -248,7 +248,7 @@ static int string_scan_range(RList *list, RBinFile *bf, int min,
248248
rc = 2;
249249
}
250250
} else {
251-
rc = r_utf8_decode (buf + needle - from, to - needle, &r);
251+
rc = r_utf8_decode (buf + (needle - from), to - needle, &r);
252252
if (rc > 1) {
253253
str_type = R_STRING_TYPE_UTF8;
254254
}

0 commit comments

Comments
 (0)