Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix #10464 - oobread crash in mdmp (#10683)
  • Loading branch information
radare committed Jul 9, 2018
1 parent ad11c11 commit eb7deb2
Showing 1 changed file with 8 additions and 7 deletions.
15 changes: 8 additions & 7 deletions libr/bin/format/mdmp/mdmp.c
Expand Up @@ -362,7 +362,7 @@ static bool r_bin_mdmp_init_directory_entry(struct r_bin_mdmp_obj *obj, struct m
/* We could confirm data sizes but a malcious MDMP will always get around
** this! But we can ensure that the data is not outside of the file */
if (entry->location.rva + entry->location.data_size > obj->b->length) {
eprintf("[ERROR] Size Mismatch - Stream data is larger than file size!\n");
eprintf ("[ERROR] Size Mismatch - Stream data is larger than file size!\n");
return false;
}

Expand Down Expand Up @@ -646,10 +646,7 @@ static bool r_bin_mdmp_init_directory_entry(struct r_bin_mdmp_obj *obj, struct m

static bool r_bin_mdmp_init_directory(struct r_bin_mdmp_obj *obj) {
int i;
ut8 *directory_base;
struct minidump_directory *entry;

directory_base = obj->b->buf + obj->hdr->stream_directory_rva;
struct minidump_directory entry;

sdb_num_set (obj->kv, "mdmp_directory.offset",
obj->hdr->stream_directory_rva, 0);
Expand All @@ -658,9 +655,13 @@ static bool r_bin_mdmp_init_directory(struct r_bin_mdmp_obj *obj) {
"(mdmp_location_descriptor)Location", 0);

/* Parse each entry in the directory */
ut64 rvadir = obj->hdr->stream_directory_rva;
for (i = 0; i < (int)obj->hdr->number_of_streams; i++) {
entry = (struct minidump_directory *)(directory_base + (i * sizeof (struct minidump_directory)));
r_bin_mdmp_init_directory_entry (obj, entry);
ut32 delta = i * sizeof (struct minidump_directory);
int r = r_buf_read_at (obj->b, rvadir + delta, (ut8*) &entry, sizeof (struct minidump_directory));
if (r) {
r_bin_mdmp_init_directory_entry (obj, &entry);
}
}

return true;
Expand Down

0 comments on commit eb7deb2

Please sign in to comment.