Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix #2963 - oob write (1 byte) in pyc/marshal.c
  • Loading branch information
wargio committed Aug 22, 2022
1 parent a0d0e56 commit 6894801
Showing 1 changed file with 6 additions and 8 deletions.
14 changes: 6 additions & 8 deletions librz/bin/format/pyc/marshal.c
Expand Up @@ -313,7 +313,6 @@ static pyc_object *get_binary_float_object(RzBuffer *buffer) {
static pyc_object *get_complex_object(RzBinPycObj *pyc, RzBuffer *buffer) {
pyc_object *ret = NULL;
bool error = false;
ut32 size = 0;
ut32 n1 = 0;
ut32 n2 = 0;

Expand All @@ -327,7 +326,7 @@ static pyc_object *get_complex_object(RzBinPycObj *pyc, RzBuffer *buffer) {
} else {
n1 = get_st32(buffer, &error);
}
if (error) {
if (error || UT32_ADD_OVFCHK(n1, 1)) {
free(ret);
return NULL;
}
Expand All @@ -336,8 +335,7 @@ static pyc_object *get_complex_object(RzBinPycObj *pyc, RzBuffer *buffer) {
return NULL;
}
/* object contain string representation of the number */
size = rz_buf_read(buffer, s1, n1);
if (size != n1) {
if (rz_buf_read(buffer, s1, n1) != n1) {
RZ_FREE(s1);
RZ_FREE(ret);
return NULL;
Expand All @@ -346,18 +344,18 @@ static pyc_object *get_complex_object(RzBinPycObj *pyc, RzBuffer *buffer) {

if ((pyc->magic_int & 0xffff) <= 62061) {
n2 = get_ut8(buffer, &error);
} else
} else {
n2 = get_st32(buffer, &error);
if (error) {
}
if (error || UT32_ADD_OVFCHK(n2, 1)) {
return NULL;
}
ut8 *s2 = malloc(n2 + 1);
if (!s2) {
return NULL;
}
/* object contain string representation of the number */
size = rz_buf_read(buffer, s2, n2);
if (size != n2) {
if (rz_buf_read(buffer, s2, n2) != n2) {
RZ_FREE(s1);
RZ_FREE(s2);
RZ_FREE(ret);
Expand Down

0 comments on commit 6894801

Please sign in to comment.