Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix 1byte heap oobread in the brainfuck disassembler
  • Loading branch information
radare authored and trufae committed Aug 14, 2023
1 parent 78fafcb commit ba919ad
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 23 deletions.
34 changes: 19 additions & 15 deletions libr/arch/p/bf/plugin.c
Expand Up @@ -13,8 +13,8 @@ static size_t countChar(const ut8 *buf, int len, char ch) {
}

static int getid(char ch) {
const char *keys = "[]<>+-,.";
const char *cidx = strchr (keys, ch);
const char *const keys = "[]<>+-,.";
const char *const cidx = strchr (keys, ch);
return cidx? cidx - keys + 1: 0;
}

Expand Down Expand Up @@ -136,13 +136,11 @@ static int assemble(const char *buf, ut8 **outbuf) {
#define BUFSIZE_INC 32
static bool decode(RArchSession *as, RAnalOp *op, RArchDecodeMask mask) {
int len = op->size;
const ut8 *_buf = op->bytes;
const ut64 addr = op->addr;
if (len < 1) {
return false;
}

ut8 *buf = (ut8*)_buf; // XXX
ut8 *buf = op->bytes;
const ut64 addr = op->addr;
ut64 dst = 0LL;
if (!op) {
return 1;
Expand All @@ -169,29 +167,32 @@ static bool decode(RArchSession *as, RAnalOp *op, RArchDecodeMask mask) {
}
r_strbuf_set (&op->esil, "1,pc,-,brk,=[4],4,brk,+=");
#if 1
{
if (len > 1) {
const ut8 *p = buf + 1;
int lev = 0, i = 1;
len--;
while (i < len && *p) {
if (*p == '[') {
switch (*p) {
case '[':
lev++;
}
if (*p == ']') {
break;
case ']':
lev--;
if (lev == -1) {
dst = addr + (size_t)(p - buf) + 1;
if (lev < 1) {
size_t delta = p - buf;
dst = addr + (size_t)delta + 1;
op->jump = dst;
r_strbuf_set (&op->esil, "1,pc,-,brk,=[4],4,brk,+=,");
goto beach;
}
}
if (*p == 0x00 || *p == 0xff) {
break;
case 0:
case 0xff:
op->type = R_ANAL_OP_TYPE_ILL;
goto beach;
}
if (read_at && i == len - 1) {
break;
#if 0
// XXX unnecessary just break
int new_buf_len = len + 1 + BUFSIZE_INC;
ut8 *new_buf = calloc (new_buf_len, 1);
Expand All @@ -203,6 +204,9 @@ static bool decode(RArchSession *as, RAnalOp *op, RArchDecodeMask mask) {
p = buf + i;
len += BUFSIZE_INC;
}
#else
break;
#endif
}
p++;
i++;
Expand Down
14 changes: 6 additions & 8 deletions libr/core/cmd_anal.c
Expand Up @@ -8719,9 +8719,9 @@ static void _anal_calls(RCore *core, ut64 addr, ut64 addr_end, bool printCommand
isValidCall = false;
}
if (isValidCall) {
ut8 buf[4] = {0};
r_io_read_at (core->io, op.jump, buf, 4);
isValidCall = memcmp (buf, "\x00\x00\x00\x00", 4);
ut8 zbuf[4] = {0};
r_io_read_at (core->io, op.jump, zbuf, 4);
isValidCall = memcmp (zbuf, "\x00\x00\x00\x00", 4);
}
if (isValidCall) {
#if JAYRO_03
Expand Down Expand Up @@ -8817,9 +8817,8 @@ static void cmd_anal_calls(RCore *core, const char *input, bool printCommands, b
}

static void cmd_sdbk(Sdb *db, const char *input) {
char *out = (input[0] == ' ')
? sdb_querys (db, NULL, 0, input + 1)
: sdb_querys (db, NULL, 0, "*");
const char *arg = (input[0] == ' ')? input + 1: "*";
char *out = sdb_querys (db, NULL, 0, arg);
if (out) {
r_cons_println (out);
free (out);
Expand Down Expand Up @@ -9118,7 +9117,7 @@ static void anal_axg(RCore *core, const char *input, int level, Sdb *db, int opt
}

static void cmd_anal_ucall_ref(RCore *core, ut64 addr) {
RAnalFunction * fcn = r_anal_get_function_at (core->anal, addr);
RAnalFunction *fcn = r_anal_get_function_at (core->anal, addr);
if (fcn) {
r_cons_printf (" ; %s", fcn->name);
} else {
Expand Down Expand Up @@ -9257,7 +9256,6 @@ static void axfm(RCore *core) {
last_addr = ref->addr;
}
}

RVecAnalRef_free (refs);
}

Expand Down

0 comments on commit ba919ad

Please sign in to comment.