Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SBORROW4 wrongly used in condition #135

Open
yangzao opened this issue Apr 19, 2024 · 0 comments
Open

SBORROW4 wrongly used in condition #135

yangzao opened this issue Apr 19, 2024 · 0 comments

Comments

@yangzao
Copy link

yangzao commented Apr 19, 2024

Environment

[0x00001060]> date
Thu Apr 18 19:45:06 2024
[0x00001060]> r2 -v
radare2 5.8.9 31711 @ linux-x86-64
birth: git.5.8.8-1074-gbe75b2d9ee 2024-02-13__17:26:56
commit: be75b2d9ee0701582aae047c2a717c4a64d6503e
options: gpl -O1 cs:5 cl:2 make
[0x00001060]> uname -ms
x86

Description

when using R2Ghidra, decompiled for loop condition incorrectly uses SBORROW4 to represent <
Original code:

loop < 111

Decompiled code:

iStack_24 == 0x6e || SBORROW4(iStack_24, 0x6e) != iStack_24 + -0x6e < 0

the original condition can be met when loop is less than 111,
but the decompiled condition is always false.

If iStack_24 is less than 0x6e (110), a signed borrow occurs,
so both the left (SBORROW4(iStack_24, 0x6e)) and right (iStack_28 + -2 < 0) parts are true and the condition is false.
So the loop body is not reachable in decompiled code.

Test

Files:
2.zip

command used:

r2 orig_exec
aaa
pdg @ sym.func_1

the issue is at the last for loop near the end of the function
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yangzao