Skip to content

ragg2 crash on long valid input. #14211

Closed
@mmmdzz

Description

@mmmdzz

Work environment

Questions Answers
OS/arch/bits (mandatory) Ubuntu x86 64
File format of the file you reverse (mandatory) ELF
Architecture/bits of the file (mandatory) x86/64
r2 -v full output, not truncated (mandatory) radare2 3.6.0-git 21923 @ linux-x86-64 git.3.5.1-149-g573f2caa3 commit: 573f2ca build: 2019-06-02__15:06:21

Expected behavior

$ ragg2 -a x86 -b 64 hello.r
$ <output asmcode>

Actual behavior

$ ragg2 -a x86 -b 64 hello.r
$ Segmentation fault (core dumped)

Steps to reproduce the behavior

Unzip hello.zip and you will get hello.r

Additional Logs, screenshots, source-code, configuration dump, ...

After checking the source code, the vulnerability is caused by lacking boundary checking for "egg->lang.elem_n++", resulting a heap buffer overflow. It could be fixed quickly by adding associated checking.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions