Fix oobwrite and uaf in RStr.fixspaces

radareorg · Dec 11, 2024 · d469684 · d469684
1 parent 379fbba
commit d469684
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 24 deletions.
diff --git a/libr/arch/p/arm/pseudo.c b/libr/arch/p/arm/pseudo.c
@@ -284,7 +284,7 @@ static char *parse(RAsmPluginSession *aps, const char *data) {
 		s = r_str_replace (s, " lsr ", " >> ", 1);
 		s = r_str_replace (s, "+ -", "- ", 1);
 		s = r_str_replace (s, "- -", "+ ", 1);
-		r_str_fixspaces (s);
+		s = r_str_fixspaces (s);
 	}
 	free (buf);
 	return s;

diff --git a/libr/arch/p/bpf/pseudo.c b/libr/arch/p/bpf/pseudo.c
@@ -79,8 +79,7 @@ static char *parse(RAsmPluginSession *aps, const char *data) {
 	for (i = 0; i < MAXARGS; i++) {
 		free (argv[i]);
 	}
-	r_str_fixspaces (str);
-	return str;
+	return r_str_fixspaces (str);
 }
 
 RAsmPlugin r_asm_plugin_bpf = {

diff --git a/libr/arch/p/evm/pseudo.c b/libr/arch/p/evm/pseudo.c
@@ -82,8 +82,7 @@ static char *parse(RAsmPluginSession *aps, const char *data) {
 	for (i = 0; i < MAXARGS; i++) {
 		free (argv[i]);
 	}
-	r_str_fixspaces (str);
-	return str;
+	return r_str_fixspaces (str);
 }
 
 RAsmPlugin r_asm_plugin_evm = {

diff --git a/libr/arch/p/stm8/pseudo.c b/libr/arch/p/stm8/pseudo.c
@@ -219,8 +219,7 @@ static char *parse(RAsmPluginSession *aps, const char *data) {
 		}
 	}
 	free (buf);
-	r_str_fixspaces (str);
-	return str;
+	return r_str_fixspaces (str);
 }
 
 RAsmPlugin r_asm_plugin_stm8= {

diff --git a/libr/arch/p/tricore/pseudo.c b/libr/arch/p/tricore/pseudo.c
@@ -192,7 +192,7 @@ static char *parse(RAsmPluginSession *aps, const char *data) {
 		}
 	}
 #if 0
-	r_str_fixspaces (str);
+	str = r_str_fixspaces (str);
 #endif
 	char *str = malloc (strlen (data) + 128);
 	strcpy (str, data);

diff --git a/libr/arch/p/x86_nz/pseudo.c b/libr/arch/p/x86_nz/pseudo.c
@@ -300,7 +300,7 @@ static char *parse(RAsmPluginSession *aps, const char *data) {
 		str = replace (nw, wa);
 	}
 	if (str) {
-		r_str_fixspaces (str);
+		str = r_str_fixspaces (str);
 	}
 	free (buf);
 	return str;

diff --git a/libr/include/r_util/r_str.h b/libr/include/r_util/r_str.h
@@ -143,7 +143,7 @@ R_API int r_str_arg_unescape(char *arg);
 R_API char **r_str_argv(const char *str, int *_argc);
 R_API void r_str_argv_free(char **argv);
 R_API char *r_str_new(const char *str);
-R_API void r_str_fixspaces(char *str);
+R_API char *r_str_fixspaces(char *str);
 R_API int r_snprintf(char *string, int len, const char *fmt, ...) R_PRINTF_CHECK(3, 4);
 R_API bool r_str_is_ascii(const char *str);
 R_API char *r_str_nextword(char *s, char ch);

diff --git a/libr/util/str.c b/libr/util/str.c
@@ -4123,25 +4123,25 @@ R_API bool r_str_startswith(const char *str, const char *needle) {
 	return !strncmp (str, needle, strlen (needle));
 }
 
-R_API void r_str_fixspaces(char *str) {
-	R_RETURN_IF_FAIL (str);
-	// add space after commas
-	char *os = strdup (str);
-	int i, j;
-	for (i = j = 0; os[i]; i++,j++) {
-		char ch = os[i];
-		str[j] = ch;
+// add space after commas
+R_API char *r_str_fixspaces(char *str) {
+	R_RETURN_VAL_IF_FAIL (str, NULL);
+	RStrBuf *sb = r_strbuf_new ("");
+	int i;
+	for (i = 0; str[i]; i++) {
+		const char ch = str[i];
+		r_strbuf_append_n (sb, &ch, 1);
 		if (ch == ',') {
-			j++;
-			str[j] = ' ';
-			while (os[i + 1] == ' ') {
+			r_strbuf_append (sb, " ");
+			while (str[i + 1] == ' ') {
 				i++;
 			}
 		}
 	}
-	str[j] = 0;
-	free (os);
-	r_str_trim_tail (str);
+	char *newstr = r_strbuf_drain (sb);
+	r_str_trim_tail (newstr);
+	free (str);
+	return newstr;
 }
 
 R_API char *r_str_tok_r(char *str, const char *delim, char **save_ptr) {