Headline
CVE-2021-32495: Fix #18666 - uaf in python bin parser · radareorg/radare2@5e16e2d
Radare2 has a use-after-free vulnerability in pyc parser’s get_none_object function. Attacker can read freed memory afterwards. This will allow attackers to cause denial of service.
@@ -1,4 +1,4 @@
/* radare - LGPL3 - Copyright 2016-2020 - Matthieu (c0riolis) Tardy - l0stb1t*/
/* radare - LGPL3 - Copyright 2016-2021 - Matthieu (c0riolis) Tardy - l0stb1t*/
#include <r_io.h>
#include <r_bin.h>
Expand Down Expand Up
@@ -88,9 +88,7 @@ static ut8 *get_bytes(RBuffer *buffer, ut32 size) {
}
static pyc_object *get_none_object(void) {
pyc_object *ret;
ret = R_NEW0 (pyc_object);
pyc_object *ret = R_NEW0 (pyc_object);
if (!ret) {
return NULL;
}
Expand Down Expand Up
@@ -1137,7 +1135,9 @@ static pyc_object *get_object(RBuffer *buffer) {
}
if (flag && ref_idx) {
free_object (ref_idx->data);
if (ref_idx->data != ret) {
free_object (ref_idx->data);
}
ref_idx->data = copy_object (ret);
}
return ret;
Expand Down