search

nccgroup / Cartographer

Code Coverage Exploration Plugin for Ghidra
Apache License 2.0
326 stars 28 forks source link

Fix out of bound error. #5

Closed adgitate1 closed 6 months ago

adgitate1 commented 7 months ago

Fix #2

I was able to debug passing the entire error object instead of just the message in: https://github.com/nccgroup/Cartographer/blob/30e4efaa613ad9759a6bf33fafa00943eaa9a55e/src/main/java/cartographer/CoverageFile.java#L137

which then gives me the following info: 

Caused by: java.lang.IndexOutOfBoundsException: Index -1 out of bounds for length 96
    at java.base/jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64)
    at java.base/jdk.internal.util.Preconditions.outOfBoundsCheckIndex(Preconditions.java:70)
    at java.base/jdk.internal.util.Preconditions.checkIndex(Preconditions.java:266)
    at java.base/java.util.Objects.checkIndex(Objects.java:359)
    at java.base/java.util.ArrayList.get(ArrayList.java:427)
    at cartographer.CoverageFile.parseDrCovFile(CoverageFile.java:243)
    at cartographer.CoverageFile.<init>(CoverageFile.java:101)
    ... 18 more

which says it fails on the get function on line 243 https://github.com/nccgroup/Cartographer/blob/30e4efaa613ad9759a6bf33fafa00943eaa9a55e/src/main/java/cartographer/CoverageFile.java#L243

then I checked dynamorio's code to see when/why it would save the module_id as -1 and noticed that it uses an unsigned short (which Java doesn't have)

ushort mod_id; https://github.com/DynamoRIO/dynamorio/blob/release_10.0.0/ext/drcovlib/drcovlib.h#L150

and then also saw that it defaults the id to the short max (65535) when its lookup can't find it. (which explains why we see -1)

#define UNKNOWN_MODULE_ID USHRT_MAX https://github.com/DynamoRIO/dynamorio/blob/release_10.0.0/ext/drcovlib/drcovlib.c#L69

if (res == DRCOVLIB_SUCCESS) {..}else{bb_entry->mod_id = UNKNOWN_MODULE_ID; https://github.com/DynamoRIO/dynamorio/blob/release_10.0.0/ext/drcovlib/drcovlib.c#L181

So now I just add a check to see if it is a valid module index before attempting to add the block.

I also changed the module_id to use an integer to support the theoretical case of a valid module > 32767. (dragondance also saves as an integer) https://github.com/0ffffffffh/dragondance/blob/v0.2.2/src/main/java/dragondance/datasource/CoverageDataSource.java#L292