Headline
CVE-2022-1238: Fix another oobread segfault in the NE bin parser ##crash · radareorg/radare2@c40a4f9
Heap-based Buffer Overflow in libr/bin/format/ne/ne.c in GitHub repository radareorg/radare2 prior to 5.6.8. This vulnerability is heap overflow and may be exploitable. For more general description of heap buffer overflow, see CWE.
Expand Up
@@ -374,6 +374,9 @@ RList *r_bin_ne_get_entrypoints(r_bin_ne_obj_t *bin) {
}
int off = 0;
while (off < bin->ne_header->EntryTableLength) {
if (bin->entry_table + off + 32 >= r_buf_size (bin->buf)) {
break;
}
ut8 bundle_length = *(ut8 *)(bin->entry_table + off);
if (!bundle_length) {
break;
Expand All
@@ -398,7 +401,9 @@ RList *r_bin_ne_get_entrypoints(r_bin_ne_obj_t *bin) {
ut8 segnum = *(bin->entry_table + off);
off++;
ut16 segoff = *(ut16 *)(bin->entry_table + off);
entry->paddr = (ut64)bin->segment_entries[segnum - 1].offset * bin->alignment + segoff;
if (segnum > 0) {
entry->paddr = (ut64)bin->segment_entries[segnum - 1].offset * bin->alignment + segoff;
}
} else { // Fixed
entry->paddr = (ut64)bin->segment_entries[bundle_type - 1].offset * bin->alignment + *(ut16 *)(bin->entry_table + off);
}
Expand Down