From: pancake <pancake@nowsecure.com>
Date: Thu, 25 Dec 2025 11:32:02 +0000 (+0100)
Subject: Fix UAF in the pdb deinit process ##crash
X-Git-Url: https://git.feebdaed.xyz/?a=commitdiff_plain;h=5bb960147e6b8cf34ef810d766b9e89e303f6681;p=0xmirror%2Fradare2.git

Fix UAF in the pdb deinit process ##crash
---

diff --git a/libr/bin/format/pdb/pdb.c b/libr/bin/format/pdb/pdb.c
index ada943bc37..0fd5df93f4 100644
--- a/libr/bin/format/pdb/pdb.c
+++ b/libr/bin/format/pdb/pdb.c
@@ -586,10 +586,6 @@ static void finish_pdb_parse(RBinPdb *pdb) {
 			break;
 		case 2:
 			ss = (STpiStream *)r_list_iter_get (it);
-			if (ss->free_) {
-				ss->free_(ss, ss);
-			}
-			free (ss);
 			break;
 		case 3:
 			dbi_stream = (SDbiStream *)r_list_iter_get (it);
@@ -629,6 +625,13 @@ static void finish_pdb_parse(RBinPdb *pdb) {
 	r_list_free (pdb->pdb_streams2);
 	// end of free pdb->streams2
 
+	if (ss) {
+		if (ss->free_) {
+			ss->free_(ss, ss);
+		}
+		free (ss);
+	}
+
 	free (pdb->stream_map);
 	r_buf_free (pdb->buf);
 
diff --git a/libr/core/cbin.c b/libr/core/cbin.c
index 2aa24b0569..2a77c86600 100644
--- a/libr/core/cbin.c
+++ b/libr/core/cbin.c
@@ -849,14 +849,14 @@ static bool bin_info(RCore *core, PJ *pj, int mode, ut64 laddr) {
 	}
 	bool havecode = is_executable (obj) | (!!obj->entries);
 	const char *compiled = get_compile_time (bf->sdb);
-	bool isvm = r_anal_archinfo (core->anal, R_ARCH_INFO_ISVM) == R_ARCH_INFO_ISVM;
+	const bool isvm = r_anal_archinfo (core->anal, R_ARCH_INFO_ISVM) == R_ARCH_INFO_ISVM;
 
 	if (IS_MODE_SET (mode)) {
 		r_config_set (core->config, "file.type", info->rclass);
 		r_config_set (core->config, "cfg.bigendian",
 			info->big_endian? "true": "false");
 		if (isvm) {
-			r_config_set_i (core->config, "asm.sub.varmin", 0);
+			r_config_set_i (core->config, "asm.sub.varmin", 16);
 		}
 		if (!info->rclass || strcmp (info->rclass, "fs")) {
 			if (info->lang && info->lang[0] != '?') {
@@ -906,7 +906,7 @@ static bool bin_info(RCore *core, PJ *pj, int mode, ut64 laddr) {
 		r_cons_printf (core->cons, "endian %s\n", info->big_endian? "big": "little");
 	} else if (IS_MODE_RAD (mode)) {
 		if (isvm) {
-			r_cons_printf (core->cons, "'e asm.sub.varmin=0\n");
+			r_cons_printf (core->cons, "'e asm.sub.varmin=16\n");
 		}
 		if (info->type && !strcmp (info->type, "fs")) {
 			r_cons_printf (core->cons, "e file.type=fs\n");
diff --git a/test/db/anal/dalvik b/test/db/anal/dalvik
index be36a3127a..2094f7e06a 100644
--- a/test/db/anal/dalvik
+++ b/test/db/anal/dalvik
@@ -22,6 +22,6 @@ NAME=Dalvik HelloWorld func xref
 FILE=bins/dex/HelloWorld.dex
 CMDS=e io.va=0; aa; axt @ sym.LHello.method._init___V
 EXPECT=<<EOF
-entry0 0x26e [CALL:--x] invoke-direct {v0}, LHello.<init>()V ; segment.file
+entry0 0x26e [CALL:--x] invoke-direct {v0}, LHello.<init>()V ; 0x0
 EOF
 RUN