Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed nasty segfault in vasm.c #10785

Merged
merged 2 commits into from Jul 23, 2018
Merged

Conversation

@cyanpencil
Copy link
Contributor

@cyanpencil cyanpencil commented Jul 19, 2018

Thanks to @Maijin that reported it!

This fixes the following segfault:

To reproduce: If you go to visual assemble and type:
jmp $$; jmp $$; jmp $$; ...
at the 1100th character typed or so you'll get a buffer overflow and a segfault

Copy link
Collaborator

@radare radare left a comment

We may get rid of this fixed size buffer at some point

@@ -40,7 +42,7 @@ static int readline_callback(void *_a, const char *str) {
if (a->acode) {
xlen = strlen (a->acode->buf_hex);
strcpy (a->codebuf, a->blockbuf);
memcpy (a->codebuf, a->acode->buf_hex, xlen);
memcpy (a->codebuf, a->acode->buf_hex, R_MIN (xlen, R_VISUAL_ASM_BUFSIZE - 1));

This comment has been minimized.

@radare

radare Jul 20, 2018
Collaborator

This will not be null terminated. Asan may complain

This comment has been minimized.

@cyanpencil

cyanpencil Jul 22, 2018
Author Contributor

Oops, you're totally right ^^ Should be fixed now

@Maijin Maijin added the bug label Jul 20, 2018
@Maijin Maijin added this to the 2.8.0 milestone Jul 20, 2018
@cyanpencil cyanpencil force-pushed the cyanpencil:fix-vasm-overflow branch from 7f78033 to 061bd8d Jul 22, 2018
strcpy (a->codebuf, a->blockbuf);
memcpy (a->codebuf, a->acode->buf_hex, xlen);
if (xlen >= strlen (a->blockbuf)) {

This comment has been minimized.

@XVilka

XVilka Jul 23, 2018
Contributor

This doesn't looks right. It is OOB write if xlen > strlen (a->codebuf). Please handle this case too.

@XVilka XVilka merged commit 008354f into radareorg:master Jul 23, 2018
1 of 2 checks passed
1 of 2 checks passed
continuous-integration/travis-ci/pr The Travis CI build failed
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants