Open 0vercl0k opened 2 years ago
Hello,
I'm hitting an OOB read access in the below code:
void __bea_callspec__ FixOpSizeForMemoryOperand (PDISASM pMyDisasm) { int i = GV.MemDecoration / 100; if (ArgsSize[GV.MemDecoration - (i*100+1)] != 0) {
Basically, the following arithmetic GV.MemDecoration - (i*100+1) is equal to -1 which makes it access 4 bytes before the array:
GV.MemDecoration - (i*100+1)
0:004> ?? pMyDisasm->Reserved_.MemDecoration int 0n0 0:004> ?? i int 0n0
This has been caught using address-sanitizer on Windows:
================================================================= ==16444==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff67bf4dbfc at pc 0x7ff67bbd3a36 bp 0x002bd7cfd680 sp 0x002bd7cfd688 READ of size 4 at 0x7ff67bf4dbfc thread T16777215 #0 0x7ff67bbd3a35 in FixOpSizeForMemoryOperand C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c:192 #1 0x7ff67bce538d in Disasm C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c:35 #2 0x7ff67ba75cfd in IntelBeaEngine::disass(unsigned char const *, unsigned __int64, unsigned __int64, enum DisassEngineReturn &) C:\work\codes\rp\src\rp\intelbeaengine.hpp:28
Cheers
Hello,
I'm hitting an OOB read access in the below code:
Basically, the following arithmetic
GV.MemDecoration - (i*100+1)is equal to -1 which makes it access 4 bytes before the array:This has been caught using address-sanitizer on Windows:
Cheers