Skip to content

Commit 82c27d6

Browse files
radareradare
committed
Fix CID 1655150 - clamp num_annotations and dedupe rtv/rti helpers in shlr/java ##crash
1 parent 797b447 commit 82c27d6

2 files changed

Lines changed: 36 additions & 66 deletions

File tree

libr/core/cmd_anal.inc.c

Lines changed: 14 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -733,8 +733,7 @@ static RCoreHelpMessage help_msg_afl = {
733733
static RCoreHelpMessage help_msg_aflp = {
734734
"Usage:", "aflp", " manage function pins (emoji markers)",
735735
"aflp", "", "list only pinned functions",
736-
"aflp", " 📍", "pin current function with given emoji or string",
737-
"aflp", " smile", "pin using emoji short name (also accepts :smile:)",
736+
"aflp", " emoji", "pin using emoji or emoji name",
738737
"aflp-", "", "unset pin of current function",
739738
"aflp-", "*", "unset pins of all functions",
740739
"aflp*", "", "list pinned functions as r2 commands",
@@ -5442,14 +5441,13 @@ static bool afla_purge(void *user, const ut64 key, const void *val) {
54425441
}
54435442

54445443
static void cmd_aflp(RCore *core, const char *input) {
5445-
// input points at char after "aflp"
54465444
RAnalFunction *fcn;
54475445
RListIter *iter;
54485446
switch (*input) {
54495447
case '?':
54505448
r_core_cmd_help (core, help_msg_aflp);
5451-
return;
5452-
case '-': {
5449+
break;
5450+
case '-':
54535451
if (input[1] == '*') {
54545452
int n = 0;
54555453
r_list_foreach (core->anal->fcns, iter, fcn) {
@@ -5467,9 +5465,8 @@ static void cmd_aflp(RCore *core, const char *input) {
54675465
}
54685466
R_FREE (f->pin);
54695467
}
5470-
return;
5471-
}
5472-
case ' ': {
5468+
break;
5469+
case ' ':
54735470
RAnalFunction *f = r_anal_get_fcn_in (core->anal, core->addr, -1);
54745471
if (!f) {
54755472
R_LOG_ERROR ("No function at 0x%08"PFMT64x, core->addr);
@@ -5483,17 +5480,15 @@ static void cmd_aflp(RCore *core, const char *input) {
54835480
free (f->pin);
54845481
f->pin = strdup (resolved? resolved: emoji);
54855482
}
5486-
return;
5487-
}
5488-
case '*': {
5483+
break;
5484+
case '*':
54895485
r_list_foreach (core->anal->fcns, iter, fcn) {
54905486
if (fcn->pin) {
54915487
r_cons_printf (core->cons, "aflp %s @ 0x%08"PFMT64x"\n", fcn->pin, fcn->addr);
54925488
}
54935489
}
5494-
return;
5495-
}
5496-
case 'j': {
5490+
break;
5491+
case 'j':
54975492
PJ *pj = r_core_pj_new (core);
54985493
pj_a (pj);
54995494
r_list_foreach (core->anal->fcns, iter, fcn) {
@@ -5510,21 +5505,19 @@ static void cmd_aflp(RCore *core, const char *input) {
55105505
char *s = pj_drain (pj);
55115506
r_cons_println (core->cons, s);
55125507
free (s);
5513-
return;
5514-
}
5515-
case 0: {
5508+
break;
5509+
case 0:
55165510
r_list_foreach (core->anal->fcns, iter, fcn) {
55175511
if (fcn->pin) {
55185512
r_cons_printf (core->cons, "0x%08"PFMT64x" %4d %6"PFMT64d" %s %s\n",
55195513
fcn->addr, r_list_length (fcn->bbs),
55205514
r_anal_function_realsize (fcn), fcn->pin, fcn->name);
55215515
}
55225516
}
5523-
return;
5524-
}
5517+
break;
55255518
default:
5526-
r_core_cmd_help (core, help_msg_aflp);
5527-
return;
5519+
r_core_return_invalid_command (core, "aflp", input[0]);
5520+
break;
55285521
}
55295522
}
55305523

shlr/java/class.c

Lines changed: 22 additions & 45 deletions
Original file line numberDiff line numberDiff line change
@@ -6804,34 +6804,36 @@ static RBinJavaAnnotationsArray *r_bin_java_annotation_array_new(RBinJavaObj *bi
68046804
return annotation_array;
68056805
}
68066806

6807-
static RBinJavaAttrInfo *r_bin_java_rtv_annotations_attr_new(RBinJavaObj *bin, ut8 *buffer, ut64 sz, ut64 buf_offset) {
6808-
ut32 i = 0;
6809-
ut64 offset = 0;
6807+
static RBinJavaAttrInfo *r_bin_java_annotations_attr_new(RBinJavaObj *bin, ut8 *buffer, ut64 sz, ut64 buf_offset, ut8 type) {
68106808
if (sz < 8) {
68116809
return NULL;
68126810
}
68136811
RBinJavaAttrInfo *attr = r_bin_java_default_attr_new (bin, buffer, sz, buf_offset);
6814-
offset += 6;
6815-
if (attr) {
6816-
attr->type = R_BIN_JAVA_ATTR_TYPE_RUNTIME_VISIBLE_ANNOTATION_ATTR;
6817-
attr->info.annotation_array.num_annotations = R_BIN_JAVA_USHORT (buffer, offset);
6818-
offset += 2;
6819-
attr->info.annotation_array.annotations = r_list_newf (r_bin_java_annotation_free);
6820-
for (i = 0; i < attr->info.annotation_array.num_annotations; i++) {
6821-
if (offset >= sz) {
6822-
break;
6823-
}
6824-
RBinJavaAnnotation *annotation = r_bin_java_annotation_new (bin, buffer + offset, sz - offset, buf_offset + offset);
6825-
if (annotation) {
6826-
offset += annotation->size;
6827-
r_list_append (attr->info.annotation_array.annotations, (void *)annotation);
6828-
}
6812+
ut64 offset = 6;
6813+
attr->type = type;
6814+
attr->info.annotation_array.num_annotations = R_BIN_JAVA_USHORT (buffer, offset);
6815+
offset += 2;
6816+
attr->info.annotation_array.annotations = r_list_newf (r_bin_java_annotation_free);
6817+
// clamp tainted count by remaining buffer (each annotation needs at least 8 bytes)
6818+
const ut64 nmax = (sz - offset) / 8;
6819+
const ut32 n = R_MIN (attr->info.annotation_array.num_annotations, nmax);
6820+
ut32 i;
6821+
for (i = 0; i < n; i++) {
6822+
RBinJavaAnnotation *annotation = r_bin_java_annotation_new (bin, buffer + offset, sz - offset, buf_offset + offset);
6823+
if (!annotation) {
6824+
break;
68296825
}
6830-
attr->size = offset;
6826+
offset += annotation->size;
6827+
r_list_append (attr->info.annotation_array.annotations, annotation);
68316828
}
6829+
attr->size = offset;
68326830
return attr;
68336831
}
68346832

6833+
static RBinJavaAttrInfo *r_bin_java_rtv_annotations_attr_new(RBinJavaObj *bin, ut8 *buffer, ut64 sz, ut64 buf_offset) {
6834+
return r_bin_java_annotations_attr_new (bin, buffer, sz, buf_offset, R_BIN_JAVA_ATTR_TYPE_RUNTIME_VISIBLE_ANNOTATION_ATTR);
6835+
}
6836+
68356837
static ut64 r_bin_java_annotation_array_calc_size(RBinJavaAnnotationsArray *annotation_array) {
68366838
ut64 size = 0;
68376839
RListIter *iter = NULL, *iter_tmp = NULL;
@@ -6859,32 +6861,7 @@ static ut64 r_bin_java_rtv_annotations_attr_calc_size(RBinJavaAttrInfo *attr) {
68596861
}
68606862

68616863
static RBinJavaAttrInfo *r_bin_java_rti_annotations_attr_new(RBinJavaObj *bin, ut8 *buffer, ut64 sz, ut64 buf_offset) {
6862-
ut32 i = 0;
6863-
ut64 offset = 0;
6864-
if (sz < 8) {
6865-
return NULL;
6866-
}
6867-
RBinJavaAttrInfo *attr = r_bin_java_default_attr_new (bin, buffer, sz, buf_offset);
6868-
offset += 6;
6869-
if (attr) {
6870-
attr->type = R_BIN_JAVA_ATTR_TYPE_RUNTIME_INVISIBLE_ANNOTATION_ATTR;
6871-
attr->info.annotation_array.num_annotations = R_BIN_JAVA_USHORT (buffer, offset);
6872-
offset += 2;
6873-
attr->info.annotation_array.annotations = r_list_newf (r_bin_java_annotation_free);
6874-
for (i = 0; i < attr->info.annotation_array.num_annotations; i++) {
6875-
if (offset >= sz) {
6876-
break;
6877-
}
6878-
RBinJavaAnnotation *annotation = r_bin_java_annotation_new (bin, buffer + offset, sz - offset, buf_offset + offset);
6879-
if (!annotation) {
6880-
break;
6881-
}
6882-
offset += annotation->size;
6883-
r_list_append (attr->info.annotation_array.annotations, (void *)annotation);
6884-
}
6885-
attr->size = offset;
6886-
}
6887-
return attr;
6864+
return r_bin_java_annotations_attr_new (bin, buffer, sz, buf_offset, R_BIN_JAVA_ATTR_TYPE_RUNTIME_INVISIBLE_ANNOTATION_ATTR);
68886865
}
68896866

68906867
static ut64 r_bin_java_rti_annotations_attr_calc_size(RBinJavaAttrInfo *attr) {

0 commit comments

Comments
 (0)