Skip to content

Commit

Permalink
Fix heap corruption in Rust bindings (#62)
Browse files Browse the repository at this point in the history 
RabbitizerInstruction_getSizeForBuffer and
RabbitizerOperandType_getBufferSize return
the size _without_ the null terminator, so
we need to allocate one more byte to avoid
writing past the allocated vector bounds.
  • Loading branch information
@encounter
encounter authored May 22, 2024
1 parent f5c65d0 commit 4dd2a55
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 2 deletions.
2 changes: 1 addition & 1 deletion rust/src/instruction.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -709,7 +709,7 @@ impl Instruction {
let buffer_size =
RabbitizerInstruction_getSizeForBuffer(self, imm_override_len, extra_l_just);

let mut buffer: Vec<u8> = vec![0; buffer_size];
let mut buffer: Vec<u8> = vec![0; buffer_size + 1];
let disassembled_size = RabbitizerInstruction_disassemble(
self,
buffer.as_mut_ptr() as *mut core::ffi::c_char,
Expand Down
2 changes: 1 addition & 1 deletion rust/src/opereand_type.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ impl operand_type_enum::OperandType {
unsafe {
let buffer_size = RabbitizerOperandType_getBufferSize(*self, instr, imm_override_len);

let mut buffer: Vec<u8> = vec![0; buffer_size];
let mut buffer: Vec<u8> = vec![0; buffer_size + 1];
let disassembled_size = RabbitizerOperandType_disassemble(
*self,
instr,
Expand Down

0 comments on commit 4dd2a55

Please sign in to comment.