Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix fpe and heap buffer overflow #3922

Merged
merged 5 commits into from
Oct 16, 2023
Merged

Fix fpe and heap buffer overflow #3922

merged 5 commits into from
Oct 16, 2023

Conversation

ttxine
Copy link
Contributor

@ttxine ttxine commented Oct 13, 2023
edited
Loading

Your checklist for this pull request

  • I've read the guidelines for contributing to this repository
  • I made sure to follow the project's coding style
  • I've documented or updated the documentation of every function and struct this PR changes. If not so I've explained why.
  • I've added tests that prove my fix is effective or that my feature works (if possible)
  • I've updated the rizin book with the relevant information (if needed)

Detailed description

le_create_maps() didn't check for h->pagesize to be non-zero.

get_ascii_object() and get_ascii_interned_object() didn't check n to be less or equal than ST32_MAX. This could lead to heap buffer overflow in get_bytes().

Test plan

CI is green

@github-actions github-actions bot added the RzBin label Oct 13, 2023
wargio
wargio reviewed Oct 14, 2023
View reviewed changes
librz/bin/format/le/le.c Outdated
@@ -1128,6 +1128,7 @@ static RzVector /*<LE_map>*/ *le_create_maps(rz_bin_le_obj_t *bin) {
rz_vector_foreach(le_maps, m) {
max_vaddr = RZ_MAX(max_vaddr, m->vaddr + m->vsize);
}
CHECK(h->pagesize);
bin->reloc_target_map_base = max_vaddr - max_vaddr % h->pagesize + h->pagesize * 2;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add parenthesis for better reading.

wargio
wargio reviewed Oct 14, 2023
View reviewed changes
librz/bin/format/pyc/marshal.c Outdated
Comment on lines 697 to 699
ut32 n;

n = get_ut32(buffer, &error);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ut32 n;
n = get_ut32(buffer, &error);
ut32 n = get_ut32(buffer, &error);

wargio
wargio reviewed Oct 14, 2023
View reviewed changes
librz/bin/format/pyc/marshal.c Outdated
Comment on lines 682 to 684
ut32 n = 0;

n = get_ut32(buffer, &error);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
ut32 n = 0;
n = get_ut32(buffer, &error);
ut32 n = get_ut32(buffer, &error);

wargio
wargio reviewed Oct 14, 2023
View reviewed changes
librz/bin/format/pyc/marshal.c Outdated
Comment on lines 703 to 704
}
if (error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
if (error) {
} else if (error) {

@ttxine ttxine force-pushed the fix-fpe-and-heap-buffer-overflow branch from d64ea2a to b3d5863 Compare October 16, 2023 07:28
@XVilka XVilka merged commit bfef566 into rizinorg:dev Oct 16, 2023
43 checks passed
@ttxine ttxine deleted the fix-fpe-and-heap-buffer-overflow branch October 17, 2023 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ret2libc ret2libc ret2libc left review comments

@wargio wargio wargio approved these changes

@XVilka XVilka XVilka approved these changes

Assignees
No one assigned
Labels
RzBin
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ttxine @XVilka @wargio @ret2libc