Fix oobread in dalvik disassembler ##crash

radareorg · Feb 20, 2024 · 7f16936 · 7f16936
1 parent cc651d2
commit 7f16936
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/libr/arch/p/dalvik/plugin.c b/libr/arch/p/dalvik/plugin.c
@@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2010-2023 - pancake */
+/* radare - LGPL - Copyright 2010-2024 - pancake */
 
 #include <r_arch.h>
 #include "opcode.h"
@@ -10,7 +10,6 @@ static inline ut64 _anal_get_offset(RArch *a, int type, int idx) {
 	if (a && a->binb.bin && a->binb.get_offset) {
 		return a->binb.get_offset (a->binb.bin, type, idx);
 	}
-
 	return UT64_MAX;
 }
 
@@ -302,12 +301,14 @@ static int dalvik_disassemble(RArchSession *as, RAnalOp *op, ut64 addr, const ut
 			// ushort size
 			// int[size] keys
 			// int[size] relative offsets
-			{
+			if (len > 3) {
 				ut16 array_size = buf[2] | (buf[3] << 8);
 				op->mnemonic = r_str_newf ("sparse-switch-payload %d", array_size);
 				size = 4;
 				payload = 2 * (array_size * 4);
 				len = 0;
+			} else {
+				return -1;
 			}
 			break;
 		case 0x03: /* fill-array-data-payload */
@@ -319,9 +320,11 @@ static int dalvik_disassemble(RArchSession *as, RAnalOp *op, ut64 addr, const ut
 				ut32 array_size = buf[4] | (buf[5] << 8) | (buf[6] << 16) | ((ut32)buf[7] << 24);
 				op->mnemonic = r_str_newf ("fill-array-data-payload %d, %d", elem_width, array_size);
 				payload = array_size * elem_width;
+				size = 8;
+				len = 0;
+			} else {
+				return -1;
 			}
-			size = 8;
-			len = 0;
 			break;
 		default:
 			/* nop */