More fixes for MSVC demangling (#15212)

* Fix double-free * Fix command injection * Fix retrieving return based operator
radareorg · Oct 7, 2019 · c4f4463 · c4f4463
1 parent 8f0f118
commit c4f4463
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/libr/bin/mangling/microsoft_demangle.c b/libr/bin/mangling/microsoft_demangle.c
@@ -306,6 +306,7 @@ static int get_operator_code(char *buf, RList *names_l) {
 	case '8': SET_OPERATOR_CODE("operator=="); break;
 	case '9': SET_OPERATOR_CODE("operator!="); break;
 	case 'A': SET_OPERATOR_CODE("operator[]"); break;
+	case 'B': SET_OPERATOR_CODE("operator #{return_type}"); break;
 	case 'C': SET_OPERATOR_CODE("operator->"); break;
 	case 'D': SET_OPERATOR_CODE("operator*"); break;
 	case 'E': SET_OPERATOR_CODE("operator++"); break;
@@ -413,7 +414,6 @@ static int get_template(char *buf, SStrInfo *str_info) {
 		}
 		int i = get_operator_code (buf, names_l);
 		if (!i) {
-			r_list_free (names_l);
 			return 0;
 		}
 		len += i;
@@ -1563,6 +1563,13 @@ static EDemanglerErr parse_microsoft_mangled_name(char *sym, char **demangled_na
 		copy_string (&func_str, __64ptr, 0);
 	}
 
+	if (ret_type) {
+		if (strstr (func_str.type_str, "#{return_type}")) {
+			func_str.type_str = r_str_replace (func_str.type_str, "#{return_type}", ret_type, 0);
+			func_str.curr_pos -= strlen ("#{return_type}") - strlen (ret_type);
+		}
+	}
+
 	// need to be free by user
 	if (func_str.type_str) {
 		*demangled_name = strdup (func_str.type_str);

diff --git a/libr/bin/pdb/pdb.c b/libr/bin/pdb/pdb.c
@@ -797,11 +797,11 @@ void build_command_field(ELeafType lt, char **command_field) {
 	switch (lt) {
 	case eLF_STRUCTURE:
 	case eLF_UNION:
-		*command_field = (char *) malloc (strlen ("pf.") + 1);
+		*command_field = (char *) malloc (strlen ("\"pf.") + 1);
 		if (!(*command_field)) {
 			break;
 		}
-		strcpy (*command_field, "pf.");
+		strcpy (*command_field, "\"pf.");
 		break;
 	case eLF_ENUM:
 		*command_field = (char *) malloc (strlen ("\"td enum ") + 1);
@@ -1021,6 +1021,7 @@ static void print_types(R_PDB *pdb, int mode) {
 			}
 
 			if (mode == 'r') {
+				r_name_filter (name_field, -1);
 				pdb->cb_printf ("%s%s ", command_field, name_field);
 				if (lt != eLF_ENUM) {
 					pdb->cb_printf ("%s ", flags_format_field);
@@ -1029,6 +1030,7 @@ static void print_types(R_PDB *pdb, int mode) {
 				}
 				sym = (lt == eLF_ENUM)? ',': ' ';
 				for (i = 0; i < members_amount; i++) {
+					r_name_filter (members_name_field[i], -1);
 					pdb->cb_printf ("%s", members_name_field[i]);
 					if ((i + 1) != members_amount) {
 						pdb->cb_printf ("%c", sym);
@@ -1037,7 +1039,7 @@ static void print_types(R_PDB *pdb, int mode) {
 				if (lt == eLF_ENUM) {
 					pdb->cb_printf (" };\"\n");
 				} else {
-					pdb->cb_printf ("\n");
+					pdb->cb_printf ("\"\n");
 				}
 			}
 			if (mode == 'j') {