Fix segfaults in fuzzed bins (#16538)
This commit is contained in:
pancake
GitHub
parent
fdb75d3bf9
commit
58f0d8343a
|
|
@ -969,7 +969,7 @@ R_IPI RBinClass *r_bin_class_new(const char *name, const char *super, int view)
|
|||
}
|
||||
|
||||
R_IPI void r_bin_class_free(RBinClass *k) {
|
||||
if (k) {
|
||||
if (k && k->name) {
|
||||
free (k->name);
|
||||
free (k->super);
|
||||
r_list_free (k->methods);
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* radare2 - LGPL - Copyright 2009-2019 - pancake, nibble, dso */
|
||||
/* radare2 - LGPL - Copyright 2009-2020 - pancake, nibble, dso */
|
||||
|
||||
#include <r_bin.h>
|
||||
#include <r_types.h>
|
||||
|
|
|
|||
|
|
@ -2663,6 +2663,11 @@ const struct symbol_t *MACH0_(get_symbols)(struct MACH0_(obj_t) *bin) {
|
|||
bin->dysymtab.nlocalsym + \
|
||||
bin->dysymtab.nundefsym );
|
||||
symbols_count += bin->nsymtab;
|
||||
if (symbols_count < 0 || ((st64)symbols_count * 2) > ST32_MAX) {
|
||||
eprintf ("Symbols count overflow\n");
|
||||
ht_pp_free (hash);
|
||||
return NULL;
|
||||
}
|
||||
symbols_size = (symbols_count + 1) * 2 * sizeof (struct symbol_t);
|
||||
|
||||
if (symbols_size < 1) {
|
||||
|
|
@ -2925,7 +2930,7 @@ static int reloc_comparator(struct reloc_t *a, struct reloc_t *b) {
|
|||
return a->addr - b->addr;
|
||||
}
|
||||
|
||||
static void parse_relocation_info (struct MACH0_(obj_t) *bin, RSkipList * relocs, ut32 offset, ut32 num) {
|
||||
static void parse_relocation_info(struct MACH0_(obj_t) *bin, RSkipList * relocs, ut32 offset, ut32 num) {
|
||||
if (!num || !offset) {
|
||||
return;
|
||||
}
|
||||
|
|
@ -2967,8 +2972,7 @@ static void parse_relocation_info (struct MACH0_(obj_t) *bin, RSkipList * relocs
|
|||
reloc->external = a_info.r_extern;
|
||||
reloc->pc_relative = a_info.r_pcrel;
|
||||
reloc->size = a_info.r_length;
|
||||
r_str_ncpy (reloc->name, sym_name, 256);
|
||||
|
||||
r_str_ncpy (reloc->name, sym_name, sizeof (reloc->name) - 1);
|
||||
r_skiplist_insert (relocs, reloc);
|
||||
}
|
||||
}
|
||||
|
|
@ -3220,14 +3224,7 @@ beach:
|
|||
}
|
||||
|
||||
struct addr_t *MACH0_(get_entrypoint)(struct MACH0_(obj_t) *bin) {
|
||||
r_return_val_if_fail (bin && bin->sects, NULL);
|
||||
|
||||
#if 0
|
||||
/* it's probably a dylib */
|
||||
if (!bin->entry) {
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
r_return_val_if_fail (bin, NULL);
|
||||
|
||||
struct addr_t *entry = R_NEW0 (struct addr_t);
|
||||
if (!entry) {
|
||||
|
|
@ -3239,7 +3236,7 @@ struct addr_t *MACH0_(get_entrypoint)(struct MACH0_(obj_t) *bin) {
|
|||
sdb_num_set (bin->kv, "mach0.entry.vaddr", entry->addr, 0);
|
||||
sdb_num_set (bin->kv, "mach0.entry.paddr", bin->entry, 0);
|
||||
|
||||
if (entry->offset == 0) {
|
||||
if (entry->offset == 0 && !bin->sects) {
|
||||
int i;
|
||||
for (i = 0; i < bin->nsects; i++) {
|
||||
// XXX: section name shoudnt matter .. just check for exec flags
|
||||
|
|
|
|||
|
|
@ -1521,6 +1521,7 @@ static void parse_class(RBinFile *bf, RBinDexClass *c, int class_index, int *met
|
|||
cls->fields = r_list_new ();
|
||||
if (!cls->fields) {
|
||||
r_list_free (cls->methods);
|
||||
free (cls);
|
||||
goto beach;
|
||||
}
|
||||
const char *str = createAccessFlagStr (c->access_flags, kAccessForClass);
|
||||
|
|
@ -1622,7 +1623,7 @@ static void parse_class(RBinFile *bf, RBinDexClass *c, int class_index, int *met
|
|||
}
|
||||
cls = NULL;
|
||||
beach:
|
||||
r_bin_class_free (cls);
|
||||
return;
|
||||
}
|
||||
|
||||
static bool is_class_idx_in_code_classes(RBinDexObj *bin, int class_idx) {
|
||||
|
|
|
|||
|
|
@ -110,7 +110,8 @@ static RBuffer *build (REgg *egg) {
|
|||
if (!shell) {
|
||||
break;
|
||||
}
|
||||
r_str_ncpy (shell, &b, sizeof (st64) + 1);
|
||||
r_str_ncpy (shell, (char *)&b, sizeof (st64));
|
||||
shell[sizeof (st64)] = 0;
|
||||
cd = 4;
|
||||
r_buf_set_bytes (buf, sc, strlen ((const char *)sc));
|
||||
r_buf_write_at (buf, cd, (const ut8 *)shell, sizeof (st64));
|
||||
|
|
|
|||
Loading…
Reference in New Issue