Fix #22523 - 1 byte oobread in the java disassembler ##crash
This commit is contained in:
pancake
parent
18f4ca11f5
commit
8e90149867
|
|
@ -57,13 +57,13 @@ static inline void swap_case(int index) {
|
|||
|
||||
static void backward_skip_major_word_break_chars(int *cursor) {
|
||||
while (*cursor >= 0 && is_word_break_char (I.buffer.data[*cursor], MAJOR_BREAK)) {
|
||||
*cursor -= 1;
|
||||
(*cursor)--;
|
||||
}
|
||||
}
|
||||
|
||||
static void skip_major_word_break_chars(int *cursor) {
|
||||
while (*cursor < I.buffer.length && is_word_break_char (I.buffer.data[*cursor], MAJOR_BREAK)) {
|
||||
*cursor += 1;
|
||||
(*cursor)++;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -71,47 +71,48 @@ static void goto_word_start(int *cursor, BreakMode break_mode) {
|
|||
if (!is_word_break_char (I.buffer.data[*cursor], break_mode)) {
|
||||
/* move cursor backwards to the next word-break char */
|
||||
while (*cursor >= 0 && !is_word_break_char (I.buffer.data[*cursor], break_mode)) {
|
||||
*cursor -= 1;
|
||||
(*cursor)--;
|
||||
}
|
||||
} else if (is_word_break_char (I.buffer.data[*cursor], MINOR_BREAK)
|
||||
&& !is_word_break_char (I.buffer.data[*cursor], MAJOR_BREAK)) {
|
||||
} else if (is_word_break_char (I.buffer.data[*cursor], MINOR_BREAK)) {
|
||||
/* move cursor backwards to the next non-word-break char OR MAJOR break char */
|
||||
while (*cursor >= 0 && is_word_break_char (I.buffer.data[*cursor], MINOR_BREAK)
|
||||
&& !is_word_break_char (I.buffer.data[*cursor], MAJOR_BREAK)) {
|
||||
*cursor -= 1;
|
||||
(*cursor)--;
|
||||
}
|
||||
} else {
|
||||
/* move cursor backwards to the next MINOR word-break char OR non-word-break char */
|
||||
while (*cursor >= 0 && is_word_break_char (I.buffer.data[*cursor], MAJOR_BREAK)) {
|
||||
*cursor -= 1;
|
||||
(*cursor)--;
|
||||
}
|
||||
}
|
||||
/* increment cursor to go to the start of current word */
|
||||
*cursor += 1;
|
||||
if (*cursor < I.buffer.length - 1) {
|
||||
(*cursor)++;
|
||||
}
|
||||
}
|
||||
|
||||
static void goto_word_end(int *cursor, BreakMode break_mode) {
|
||||
if (!is_word_break_char (I.buffer.data[*cursor], break_mode)) {
|
||||
/* move cursor forward to the next word-break char */
|
||||
while (*cursor < I.buffer.length && !is_word_break_char (I.buffer.data[*cursor], break_mode)) {
|
||||
*cursor += 1;
|
||||
(*cursor)++;
|
||||
}
|
||||
} else if (is_word_break_char (I.buffer.data[*cursor], MINOR_BREAK)) {
|
||||
/* move cursor forward to the next non-word-break char or MAJOR break char */
|
||||
while (*cursor < I.buffer.length && is_word_break_char (I.buffer.data[*cursor], MINOR_BREAK)
|
||||
&& !is_word_break_char (I.buffer.data[*cursor], MAJOR_BREAK)) {
|
||||
*cursor += 1;
|
||||
(*cursor)++;
|
||||
}
|
||||
}
|
||||
/* decrement cursor to go to the end of current word */
|
||||
if (*cursor > 0) {
|
||||
*cursor -= 1;
|
||||
(*cursor)--;
|
||||
}
|
||||
}
|
||||
|
||||
static void goto_next_word(int *cursor, BreakMode break_mode) {
|
||||
goto_word_end (cursor, break_mode);
|
||||
*cursor += 1;
|
||||
(*cursor)++;
|
||||
if (is_word_break_char (I.buffer.data[*cursor], MAJOR_BREAK)) {
|
||||
skip_major_word_break_chars (cursor);
|
||||
}
|
||||
|
|
@ -1180,7 +1181,7 @@ static void __print_prompt(void) {
|
|||
free (b);
|
||||
free (rb);
|
||||
free (c);
|
||||
count += 1;
|
||||
count++;
|
||||
if (count > strlen (I.prompt)) {
|
||||
count = 0;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@ static void open_plugins_at(RCore *core, const char *arg, const char *user_path)
|
|||
}
|
||||
}
|
||||
|
||||
static void __loadSystemPlugins(RCore *core, int where, const char *path) {
|
||||
static void load_system_plugins(RCore *core, int where, const char *path) {
|
||||
#if R2_LOADLIBS
|
||||
if (!where) {
|
||||
where = -1;
|
||||
|
|
@ -139,7 +139,7 @@ static bool is_script(const char *name) {
|
|||
|
||||
R_API bool r_core_loadlibs(RCore *core, int where, const char *path) {
|
||||
ut64 prev = r_time_now_mono ();
|
||||
__loadSystemPlugins (core, where, path);
|
||||
load_system_plugins (core, where, path);
|
||||
/* TODO: all those default plugin paths should be defined in r_lib */
|
||||
if (!r_config_get_b (core->config, "cfg.plugins")) {
|
||||
core->times->loadlibs_time = 0;
|
||||
|
|
|
|||
|
|
@ -68,6 +68,9 @@ static int r_cmd_qjs_call(void *c, const char *input) {
|
|||
// Iterate over plugins until one returns "true" (meaning the plugin handled the input)
|
||||
QjsCorePlugin *plugin;
|
||||
R_VEC_FOREACH (&pm->core_plugins, plugin) {
|
||||
if (plugin == NULL) {
|
||||
continue;
|
||||
}
|
||||
QjsContext *qc = &plugin->qctx;
|
||||
JSValueConst args[1] = { JS_NewString (qc->ctx, input) };
|
||||
JSValue res = JS_Call (qc->ctx, qc->call_func, JS_UNDEFINED, countof (args), args);
|
||||
|
|
|
|||
|
|
@ -161,7 +161,8 @@ R_API int java_print_opcode(RBinJavaObj *obj, ut64 addr, int idx, const ut8 *byt
|
|||
snprintf (output, outlen, "%s %s", JAVA_OPS[idx].name, arg);
|
||||
free (arg);
|
||||
} else {
|
||||
snprintf (output, outlen, "%s #%d", JAVA_OPS[idx].name, USHORT (bytes, 1));
|
||||
const int num = (len > 2)? USHORT (bytes, 1): bytes[1];
|
||||
snprintf (output, outlen, "%s #%d", JAVA_OPS[idx].name, num);
|
||||
}
|
||||
output[outlen - 1] = 0;
|
||||
return update_bytes_consumed (JAVA_OPS[idx].size);
|
||||
|
|
|
|||
Loading…
Reference in New Issue