From 67af169fb7bd3908eb0fa465bfe496396971c46d Mon Sep 17 00:00:00 2001 From: pancake Date: Fri, 3 Jun 2022 20:44:35 +0200 Subject: [PATCH] Fix some more bugs spotted by the docker fuzzer --- dist/docker/fuzz/Dockerfile | 4 ++++ libr/cons/cons.c | 16 +++++++++------- libr/core/cmd_anal.c | 5 ++++- libr/core/cmd_cmp.c | 5 ++++- libr/core/cmd_mount.c | 4 ++-- 5 files changed, 23 insertions(+), 11 deletions(-) diff --git a/dist/docker/fuzz/Dockerfile b/dist/docker/fuzz/Dockerfile index ae6c1ff239..8ae527f648 100644 --- a/dist/docker/fuzz/Dockerfile +++ b/dist/docker/fuzz/Dockerfile @@ -9,4 +9,8 @@ ENV ASAN_OPTIONS="detect_odr_violation=0 detect_leaks=0" ENV R2_DEBUG_ASSERT=1 +# RUN git clone https://gitlab.com/akihe/radamsa && cd radamsa && make && make install +# COPY script.r2 /script.r2 +# ENTRYPOINT while : ; do echo one ; cat /script.r2 | radamsa | rarun2 timeout=5 system="r2 -e scr.null=true -Nq malloc://1024" > /dev/null ; done + ENTRYPOINT while : ; do cat /dev/urandom | strings | rarun2 timeout=5 system="r2 -e scr.null=true -Nq malloc://1024" > /dev/null ; done diff --git a/libr/cons/cons.c b/libr/cons/cons.c index 0f73af20a5..0b1bed027e 100644 --- a/libr/cons/cons.c +++ b/libr/cons/cons.c @@ -47,11 +47,11 @@ static void break_stack_free(void *ptr) { static void cons_stack_free(void *ptr) { RConsStack *s = (RConsStack *)ptr; - free (s->buf); + R_FREE (s->buf); if (s->grep) { R_FREE (s->grep->str); } - free (s->grep); + R_FREE (s->grep); free (s); } @@ -101,11 +101,13 @@ static void cons_stack_load(RConsStack *data, bool free_current) { } static void cons_grep_reset(RConsGrep *grep) { - R_FREE (grep->str); - ZERO_FILL (*grep); - grep->line = -1; - grep->sort = -1; - grep->sort_invert = false; + if (grep) { + R_FREE (grep->str); + ZERO_FILL (*grep); + grep->line = -1; + grep->sort = -1; + grep->sort_invert = false; + } } static void cons_context_init(RConsContext *context, R_NULLABLE RConsContext *parent) { diff --git a/libr/core/cmd_anal.c b/libr/core/cmd_anal.c index ab01a233af..b9f96cec68 100644 --- a/libr/core/cmd_anal.c +++ b/libr/core/cmd_anal.c @@ -6734,6 +6734,9 @@ static void __core_anal_appcall(RCore *core, const char *input) { static void cmd_debug_stack_init(RCore *core, int argc, char **argv, char **envp) { // TODO: add support for 32 bit RBuffer *b = r_buf_new (); + if (!b) { + return; + } ut64 sp = core->offset; int i; ut64 dyld_call_from = UT64_MAX; @@ -6765,7 +6768,7 @@ static void cmd_debug_stack_init(RCore *core, int argc, char **argv, char **envp r_buf_append_string (b, envp[i]); r_buf_append_ut8 (b, 0); } - int slen; + int slen = 0; ut8 *s = r_buf_read_all (b, &slen); char *x = r_hex_bin2strdup (s, slen); r_cons_printf ("wx %s\n", x); diff --git a/libr/core/cmd_cmp.c b/libr/core/cmd_cmp.c index c6e6191c25..8587aa0ee7 100644 --- a/libr/core/cmd_cmp.c +++ b/libr/core/cmd_cmp.c @@ -1502,7 +1502,10 @@ static int cmd_cmp(void *data, const char *input) { if (sz > 0) { ut64 at = r_num_math (core->num, input + 2); ut8 buf[8] = {0}; - r_io_read_at (core->io, at, buf, sizeof (buf)); + if (r_io_read_at (core->io, at, buf, sizeof (buf)) < 1) { + r_core_return_value (core, -1); + break; + } int val = memcmp (buf, core->block, sz)? 1: 0; r_core_return_value (core, val); } diff --git a/libr/core/cmd_mount.c b/libr/core/cmd_mount.c index 0b34ed5466..e0b4e6567b 100644 --- a/libr/core/cmd_mount.c +++ b/libr/core/cmd_mount.c @@ -177,14 +177,14 @@ static int cmd_mount(void *data, const char *_input) { fstype = input; } - if (!r_fs_mount (core->fs, fstype, mountp, off)) { + if (fstype && !r_fs_mount (core->fs, fstype, mountp, off)) { eprintf ("Cannot mount %s\n", input); } } else { if (!(ptr = r_fs_name (core->fs, core->offset))) { eprintf ("Unknown filesystem type\n"); } - if (!r_fs_mount (core->fs, ptr, input, core->offset)) { + if (ptr && !r_fs_mount (core->fs, ptr, input, core->offset)) { eprintf ("Cannot mount %s\n", input); } free (ptr);