Fix UAF in the pdb deinit process ##crash

author pancake <pancake@nowsecure.com>

Thu, 25 Dec 2025 11:32:02 +0000 (12:32 +0100)

committer GitHub <noreply@github.com>

Thu, 25 Dec 2025 11:32:02 +0000 (12:32 +0100)
author pancake <pancake@nowsecure.com>
Thu, 25 Dec 2025 11:32:02 +0000 (12:32 +0100)
committer GitHub <noreply@github.com>
Thu, 25 Dec 2025 11:32:02 +0000 (12:32 +0100)
diff --git a/libr/bin/format/pdb/pdb.c b/libr/bin/format/pdb/pdb.c

index ada943bc37796dfa63ed5cf716e35d799a05cc1d..0fd5df93f47d84444be01fc17539e157053018c2 100644 (file)
--- a/libr/bin/format/pdb/pdb.c
+++ b/libr/bin/format/pdb/pdb.c
@@ -586,10 +586,6 @@ static void finish_pdb_parse(RBinPdb *pdb) {
                         break;
                 case 2:
                         ss = (STpiStream *)r_list_iter_get (it);
-                       if (ss->free_) {
-                               ss->free_(ss, ss);
-                       }
-                       free (ss);
                         break;
                 case 3:
                         dbi_stream = (SDbiStream *)r_list_iter_get (it);
@@ -629,6 +625,13 @@ static void finish_pdb_parse(RBinPdb *pdb) {
         r_list_free (pdb->pdb_streams2);
         // end of free pdb->streams2
  
+       if (ss) {
+               if (ss->free_) {
+                       ss->free_(ss, ss);
+               }
+               free (ss);
+       }
+
         free (pdb->stream_map);
         r_buf_free (pdb->buf);
  
diff --git a/libr/core/cbin.c b/libr/core/cbin.c

index 2aa24b0569fe5101d30f4fd801483ee1db88d074..2a77c86600d51ce1470a553d96076e961506dbfe 100644 (file)
--- a/libr/core/cbin.c
+++ b/libr/core/cbin.c
@@ -849,14 +849,14 @@ static bool bin_info(RCore *core, PJ *pj, int mode, ut64 laddr) {
         }
         bool havecode = is_executable (obj) | (!!obj->entries);
         const char *compiled = get_compile_time (bf->sdb);
-       bool isvm = r_anal_archinfo (core->anal, R_ARCH_INFO_ISVM) == R_ARCH_INFO_ISVM;
+       const bool isvm = r_anal_archinfo (core->anal, R_ARCH_INFO_ISVM) == R_ARCH_INFO_ISVM;
  
         if (IS_MODE_SET (mode)) {
                 r_config_set (core->config, "file.type", info->rclass);
                 r_config_set (core->config, "cfg.bigendian",
                         info->big_endian? "true": "false");
                 if (isvm) {
-                       r_config_set_i (core->config, "asm.sub.varmin", 0);
+                       r_config_set_i (core->config, "asm.sub.varmin", 16);
                 }
                 if (!info->rclass || strcmp (info->rclass, "fs")) {
                         if (info->lang && info->lang[0] != '?') {
@@ -906,7 +906,7 @@ static bool bin_info(RCore *core, PJ *pj, int mode, ut64 laddr) {
                 r_cons_printf (core->cons, "endian %s\n", info->big_endian? "big": "little");
         } else if (IS_MODE_RAD (mode)) {
                 if (isvm) {
-                       r_cons_printf (core->cons, "'e asm.sub.varmin=0\n");
+                       r_cons_printf (core->cons, "'e asm.sub.varmin=16\n");
                 }
                 if (info->type && !strcmp (info->type, "fs")) {
                         r_cons_printf (core->cons, "e file.type=fs\n");
diff --git a/test/db/anal/dalvik b/test/db/anal/dalvik

index be36a3127ac446b6f6244ab231c367b9091fb895..2094f7e06a5c17efad6b79e0b26114dbbf46d76f 100644 (file)
--- a/test/db/anal/dalvik
+++ b/test/db/anal/dalvik
@@ -22,6 +22,6 @@ NAME=Dalvik HelloWorld func xref
  FILE=bins/dex/HelloWorld.dex
  CMDS=e io.va=0; aa; axt @ sym.LHello.method._init___V
  EXPECT=<<EOF
-entry0 0x26e [CALL:--x] invoke-direct {v0}, LHello.<init>()V ; segment.file
+entry0 0x26e [CALL:--x] invoke-direct {v0}, LHello.<init>()V ; 0x0
  EOF
  RUN
author	pancake <pancake@nowsecure.com>
	Thu, 25 Dec 2025 11:32:02 +0000 (12:32 +0100)
committer	GitHub <noreply@github.com>
	Thu, 25 Dec 2025 11:32:02 +0000 (12:32 +0100)
libr/bin/format/pdb/pdb.c		patch \| blob \| history
libr/core/cbin.c		patch \| blob \| history
test/db/anal/dalvik		patch \| blob \| history