From 9cb0e0f1d7770282eda4018b0efd789a2c4e9bfd Mon Sep 17 00:00:00 2001
From: potato <30723680+0verflowme@users.noreply.github.com>
Date: Sat, 20 Dec 2025 13:37:42 +0530
Subject: [PATCH] Fix aaef corrupting files in write mode by routing ESIL
 writes to IO overlay ##analysis

---
 libr/core/canal.c     |  5 +++++
 test/db/anal/arm-esil |  3 +--
 test/db/io/write      | 16 ++++++++++++++++
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/libr/core/canal.c b/libr/core/canal.c
index 81be2a9fca..617ce57f4f 100644
--- a/libr/core/canal.c
+++ b/libr/core/canal.c
@@ -5863,7 +5863,12 @@ R_API void r_core_anal_esil(RCore *core, const char *str /* len */, const char *
 			ut64 fs = r_anal_function_realsize (fcn);
 			if (ls > fs + 4096) {
 				R_LOG_INFO ("Function is too sparse, must be analyzed with recursive");
+				// `aaef` (analysis) must not modify the opened file even in `-w` mode.
+				// Route ESIL writes to the IO overlay temporarily for this recursive pass.
+				bool (*old_write_at)(RIO *io, ut64 addr, const ut8 *buf, int len) = core->anal->iob.write_at;
+				core->anal->iob.write_at = r_io_vwrite_to_overlay_at;
 				r_core_anal_esil_function (core, core->addr);
+				core->anal->iob.write_at = old_write_at;
 				return;
 			}
 			start = r_anal_function_min_addr (fcn);
diff --git a/test/db/anal/arm-esil b/test/db/anal/arm-esil
index 5ac776473e..a15f611ca1 100644
--- a/test/db/anal/arm-esil
+++ b/test/db/anal/arm-esil
@@ -12,7 +12,7 @@ EOF
 EXPECT=<<EOF
             ;-- str..._.._third_party_boringssl_src_ssl_ssl_x509.cc:
             ;-- s:
-            ; STRN XREF from f @ 0x37194e(r)
+            ; STRN XREFS from f @ 0x36c3c8(r), 0x37194e(r), 0x371ca8(r)
             0x00080c62     .string "../../third_party/boringssl/src/ssl/ssl_x509.cc" ; len=48
             ;-- str..._.._third_party_boringssl_src_ssl_ssl_asn1.cc:
             0x00080c92     .string "../../third_party/boringssl/src/ssl/ssl_asn1.cc" ; len=48
@@ -51,4 +51,3 @@ EXPECT=<<EOF
 fcn.00003004 0x337c [STRN:r--] add x1, x1, str.3082058830820370a00302010202147dc6315182dee2344f870acce7b12d5fea665fa4300d06092a864886f70d01010b05003074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f69643020170d3233303333313033313632355a180f32303533303333313033313632355a3074310b3009060355040613025553311330110603550408130a43616c69666f726e6961311630140603550407130d4d6f756e7461696e205669657731143012060355040a130b476f6f676c6520496e632e3110300e060355040b1307416e64726f69643110300e06035504031307416e64726f696430820222300d06092a864886f70d01010105000382020f003082020a0282020100ae3cd14f3c1a606c39b5a3fddd90010e9ed67773da20458ce4666165c09c4dfffa006ad9f7a252bbc1b5bfa16eb6fd041eabf9bc06e4645959aad055f83efd2f185c6f7cc788f75c2acd3ecba60924bbc289d7a12154b96f0a0017aeddf620be0896a1fed7d29432bf6346c0c217d837a039bdc62e7cd3512744446073df1a0bafd1011aabdfdc6b47df246b5b49f9aa5b98b6a86f0e7ba0f795d33ea163aa71d7c66059bc9c72b5e0d693405ef8f2097b7ff2e8a0dc319fc9f5a7b9d4ac50f167c8f688bcae4cd68aa4dc32c3f6365630048a4d0dab186a6a42fdf68df8e08228cbd1a451949d09661ff76dbc1a50e98af4a18a9424713879cf84254031d9a6504a3012c9a431a941c1e97b0ad192fe233dcbca540872cb81ec7c93b832aacc8cd9367e439e953147cb45731c4ebdcc97a8b6d6dbd480e927cc58340b89e0cda38bb0b5661974397d7a3ffadf7c08f48a934143de28eda9898e430dd3cf616f97b49a3921b3a54b3b39da2f98bba2448dcadc41208051700ad405180affe87a729cd9ec1cb05870bb9e4fccf416e236c116a8800d9aa9cd2d8dda7b18289606a6b4265a83eca5c6bc25b76a0043baf71cbb9f2e3961dcd4c7f15d0b97a1424f7025a3c01b88a8292ddee7b46c0c19392fc6e9b2307e1ab7874b169c95a93784489a3feb447c33107c815503ae7e0a47b58f15043d43d13ce074c836cca9e3210203010001a310300e300c0603551d13040530030101ff300d06092a864886f70d01010b050003820201001d7eb92ff18e32a02130ef854d1e69503f7c6621ea9ecae7f4e8ced790350ff57b49bc5b6cc48bb235424097217e23ba01ab72f738c2b3d3f578596465fac65d4319fd8112cec2c939130d6ca28fa8c8e63f3d2186e134fb1915d174b8e806f0448104d684488350649a529a9473ecb758561607488416403af6c068e7c498ef6eb03ccd08e132288dfad1b4ed8d400687935b9e0cbd6a6195a8e208bfbf90250324edeacb9747b1e33ecde09e90192082869ac859a545072a8673ba683f4dba804d6204da141756a354f68b53dadd57bc10c200b13373736ed5b524115679577d2afcfbe2e94704680b7ba733a6484e4f84cd1fe978510905538fe23794ffda6145affd26884e7c7555d85cd7544a9e0eef30ee5dccf3aae0a9ddfa36f78b8ea746e797d9960de4bd35cf07a54d50aba2ae687d743db873b910829e0bcf6c9a2cc245512ed12052fcb33398aa481c46f8da2199292938fb3bc9dd6caa85c4207f4f48e536c4dfe20111a9905c671c2d01e77046a35128da532c613ab3ccadf7887d7919410150501ab541ddb4f29505ca198ccb6f47e0625675482d773898493e929179228049b6f5dc2e02f840e9b8294f4029f51ad9322e3a7c80b29cf22cb19a08a1619001d28e420d48e267021b479c4bef80a36a2c3a56d7645137f1fb2c0d456d975e3c061983c690063927041fcf2107d315c458dc5b0963a3b88d23
 EOF
 RUN
-
diff --git a/test/db/io/write b/test/db/io/write
index b9ba53c37d..ec60f4b4b5 100644
--- a/test/db/io/write
+++ b/test/db/io/write
@@ -88,3 +88,19 @@ WARN: Relocs has not been applied. Please use `-e bin.relocs.apply=true` or `-e
 ERROR: [cmd_write_fail] Cannot write. Use `omp`, `io.cache` or reopen the file in rw with `oo+`
 EOF
 RUN
+
+NAME=issue-25090 aaef must not corrupt file
+FILE=.issue-25090.so
+ARGS=-w -e bin.relocs.apply=true
+CMDS=<<EOF
+!cp bins/elf/android/libpairipcore.so .issue-25090.so
+oo
+aa;aaef
+e io.va=0
+p8 4 @ 0
+rm .issue-25090.so
+EOF
+EXPECT=<<EOF
+7f454c46
+EOF
+RUN
-- 
2.43.0