Skip to content

Commit

Permalink
Fix radareorg#2910 - two oob read with the command wo2
Browse files Browse the repository at this point in the history
  • Loading branch information
@alvarofe
alvarofe committed Jul 12, 2015
1 parent ecf6792 commit dfb5058
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
6 changes: 4 additions & 2 deletions libr/core/cmd_write.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,10 @@ static void cmd_write_op (RCore *core, const char *input) {
}
case '2':
case '4':
r_core_write_op (core, input+3, input[1]);
r_core_block_read (core, 0);
if (input[2]){
r_core_write_op (core, input+3, input[1]);
r_core_block_read (core, 0);
}

This comment has been minimized.

# to view

Copy link
@radare

radare Jul 12, 2015

else { eprintf ("Missing argument\n");
break;
case 'R':
r_core_cmd0 (core, "wr $b");
Expand Down
3 changes: 2 additions & 1 deletion libr/core/io.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,7 +150,8 @@ R_API int r_core_write_op(RCore *core, const char *arg, char op) {
} else
if (op=='2' || op=='4') {
op -= '0';
for (i=0; i<core->blocksize; i+=op) {
// if i < core->blocksize would pass the test but buf[i+3] goes beyond the buffer
for (i=0; i<core->blocksize-3; i+=op) {
/* endian swap */
ut8 tmp = buf[i];
buf[i] = buf[i+3];
Expand Down

1 comment on commit dfb5058

@radare
Copy link

@radare radare commented on dfb5058 Jul 12, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better check if blocksize>3 before entering the loop, otherwise, if blocksize is unsigned, it will always be true causing another bug

Please # to comment.