search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.66k stars 357 forks source link

`rz_type_parse_string_single` segfaults when parsing a complex type #2190

Open DMaroo opened 2 years ago

DMaroo commented 2 years ago

Work environment

Questions Answers
OS/arch/bits (mandatory) Arch Linux, x86-64
File format of the file you reverse (mandatory) Not relevant
Architecture/bits of the file (mandatory) x86/64
rizin -v full output, not truncated (mandatory) rizin 0.4.0-git @ linux-x86-64 commit: ecfdb01ec772dfe978a585a540df6f86c340f73d, build: 2022-01-10__14:00:58

Type causing segfault

struct gamma {
    wchar_t (*(*dunk)[])(int, const char*);
} sigma;

Expected behavior

No segmentation fault happens, and the type is parsed correctly.

Actual behavior

rz_type_parse_string_single encounters a segmentation fault because of calling strdup(NULL). Backtrace:

#1  0x00007fb4d9b32e3f in __GI___strdup (s=0x0) at strdup.c:41
#2  0x00007fb4d9c96c90 in parse_type_declarator_node (state=0x559070b67980, node=...,
    text=0x559070b89890 "__TYPE_EXPRESSION struct gamma {\n\twchar_t (*(*dunk)[])(int, const char*);\n} sigma;", tpair=0x7fff8adffee8,
    identifier=0x7fff8adffee0) at ../librz/type/parser/types_parser.c:1690
#3  0x00007fb4d9c91f3a in parse_struct_node (state=0x559070b67980, node=...,
    text=0x559070b89890 "__TYPE_EXPRESSION struct gamma {\n\twchar_t (*(*dunk)[])(int, const char*);\n} sigma;", tpair=0x7fff8ae00198,
    is_const=false) at ../librz/type/parser/types_parser.c:554
#4  0x00007fb4d9c948ef in parse_type_node_single (state=0x559070b67980, node=...,
    text=0x559070b89890 "__TYPE_EXPRESSION struct gamma {\n\twchar_t (*(*dunk)[])(int, const char*);\n} sigma;", tpair=0x7fff8ae00198,
    is_const=false) at ../librz/type/parser/types_parser.c:1183
#5  0x00007fb4d9c97122 in parse_type_descriptor_single (state=0x559070b67980, node=...,
    text=0x559070b89890 "__TYPE_EXPRESSION struct gamma {\n\twchar_t (*(*dunk)[])(int, const char*);\n} sigma;", tpair=0x7fff8ae00198)
    at ../librz/type/parser/types_parser.c:1762
#6  0x00007fb4d9c8f0fb in rz_type_parse_string_single (parser=0x559070b6dd10,
    code=0x559070b07470 "struct gamma {\n\twchar_t (*(*dunk)[])(int, const char*);\n} sigma;", error_msg=0x7fff8ae01638)
    at ../librz/type/parser/c_cpp_parser.c:354

Steps to reproduce the behavior

Use the Rizin API and call rz_type_parse_string_single with appropriate arguments.

This bug was encountered while testing for #1272.

XVilka commented 1 year ago

Related to issues in the C grammar itself: