Segmentation fault while loading PDB

[Sanceilaks]

Environment information

• Operating System: Arch Linux x86_64 (Linux 6.10.9-arch1-2)
• Cutter version: 2.3.4-makepkg-209c26b
• Obtained from:
  • [ ] Built from source
  • [ ] Downloaded release from Cutter website or GitHub
  • [x] Distribution repository
• File format: pdb + exe

crush while loading PDB

❯ cutter
"0.7.3" "0.7.3"
Plugins are loaded from "/home/voidptr_t/.local/share/rizin/cutter/plugins"
Native plugins are loaded from "/home/voidptr_t/.local/share/rizin/cutter/plugins/native"
Python plugins are loaded from "/home/voidptr_t/.local/share/rizin/cutter/plugins/python"
Loaded 0 plugin(s).
Plugins are loaded from "/home/voidptr_t/.local/share/flatpak/exports/share/rizin/cutter/plugins"
Plugins are loaded from "/var/lib/flatpak/exports/share/rizin/cutter/plugins"
Plugins are loaded from "/usr/local/share/rizin/cutter/plugins"
Plugins are loaded from "/usr/share/rizin/cutter/plugins"
Native plugins are loaded from "/usr/share/rizin/cutter/plugins/native"
Loaded 1 plugin(s).
WARNING: bin_file_strings: search interval size (0x1063400) exeeds max region size (0xa00000), skipping it.
WARNING: bin_file_strings: search interval size (0x1063400) exeeds max region size (0xa00000), skipping it.
[1]    74755 segmentation fault (core dumped)  cutter

To Reproduce

Steps to reproduce the behavior:

1. Open file
2. Load pdb

Expected behavior

Screenshots

Additional context

gdb backtrace

Thread 18 "Thread (pooled)" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffb96006c0 (LWP 73187)]
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
76      VPCMPEQ (%rdi), %ymm0, %ymm1
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
#1  0x00007ffff4abacd3 in __GI___strdup (s=s@entry=0x0) at strdup.c:41
#2  0x00007ffff54643b8 in mfunction_parse (typedb=0x55555600b470, stream=0x7fff3a9d6760, type_info=<optimized out>, name=0x0)
    at ../librz/analysis/pdb_process.c:204
#3  0x00007ffff5463719 in pdb_type_parse
    (typedb=typedb@entry=0x55555600b470, stream=stream@entry=0x7fff3a9d6760, type=<optimized out>, name=name@entry=0x0)
    at ../librz/analysis/pdb_process.c:756
#4  0x00007ffff54635eb in pointer_parse (typedb=0x55555600b470, stream=0x7fff3a9d6760, type=0x7fff3b28dd30, name=0x0)
    at ../librz/analysis/pdb_process.c:118
#5  pdb_type_parse (typedb=0x55555600b470, stream=0x7fff3a9d6760, type=0x7fff3b28dd30, name=0x0) at ../librz/analysis/pdb_process.c:752
#6  0x00007ffff5587438 in nest_parse.isra.0
    (typedb=typedb@entry=0x55555600b470, stream=stream@entry=0x7fff3a9d6760, type_info=type_info@entry=0x7fff3b28e850, name=<optimized out>)
    at ../librz/analysis/pdb_process.c:304
#7  0x00007ffff5463a45 in class_member_parse (typedb=<optimized out>, stream=<optimized out>, t=0x7fff3b28e850)
    at ../librz/analysis/pdb_process.c:344
#8  class_parse (typedb=0x55555600b470, stream=0x7fff3a9d6760, type=0x7fff3b28ecd0) at ../librz/analysis/pdb_process.c:482
#9  pdb_type_parse (typedb=typedb@entry=0x55555600b470, stream=stream@entry=0x7fff3a9d6760, type=0x7fff3b28ecd0, name=name@entry=0x0)
    at ../librz/analysis/pdb_process.c:742
#10 0x00007ffff5464645 in rz_type_db_pdb_parse (typedb=typedb@entry=0x55555600b470, stream=stream@entry=0x7fff3a9d6760, type=<optimized out>)
    at ../librz/analysis/pdb_process.c:793
#11 0x00007ffff5464751 in rz_type_db_pdb_load (typedb=0x55555600b470, pdb=pdb@entry=0x7fff85cc8d20) at ../librz/analysis/pdb_process.c:818
#12 0x00007ffff7ab3b56 in rz_core_pdb_load_info (core=0x5555563a0910, file=0x7fff861be970 "/home/voidptr_t/dev/hoi4/hoi4.pdb")
    at ../librz/core/cpdb.c:327
#13 0x00007ffff7a99be3 in rz_core_bin_pdb_load (core=0x5555563a0910, filename=0x7fff861be970 "/home/voidptr_t/dev/hoi4/hoi4.pdb")
    at ../librz/core/cbin.c:5318
#14 0x0000555555695467 in CutterCore::loadPDB (this=<optimized out>, file=...) at /usr/src/debug/rz-cutter/cutter/src/core/Cutter.cpp:4227
#15 0x00005555556f3986 in AnalysisTask::runTask (this=0x555556c18e50) at /usr/src/debug/rz-cutter/cutter/src/common/AnalysisTask.cpp:73
#16 0x0000555555777b71 in AsyncTask::run (this=0x555556c18e50) at /usr/src/debug/rz-cutter/cutter/src/common/AsyncTask.cpp:50
#17 0x00007ffff5acba85 in QThreadPoolThread::run (this=0x555556ef1160) at /usr/src/debug/qt6-base/qtbase/src/corelib/thread/qthreadpool.cpp:68
#18 0x00007ffff5acd237 in operator() (__closure=<optimized out>) at /usr/src/debug/qt6-base/qtbase/src/corelib/thread/qthread_unix.cpp:326
#19 (anonymous namespace)::terminate_on_exception<QThreadPrivate::start(void*)::<lambda()> > (t=<optimized out>)
    at /usr/src/debug/qt6-base/qtbase/src/corelib/thread/qthread_unix.cpp:262
#20 QThreadPrivate::start (arg=0x555556ef1160) at /usr/src/debug/qt6-base/qtbase/src/corelib/thread/qthread_unix.cpp:285
#21 0x00007ffff4aa339d in start_thread (arg=<optimized out>) at pthread_create.c:447
#22 0x00007ffff4b2849c in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

https://drive.google.com/file/d/1qdZz3g9A2oXrf19COWjPVzshi2DZqYYz/view?usp=sharing

[wargio]

This looks like a legitimate crash due strdup being called with NULL parameter.

[Sanceilaks]

This looks like a legitimate crash due strdup being called with NULL parameter.

IDA opens this file without any issues, if that's important

[Sanceilaks]

Binary Ninja works fine

[Sanceilaks]

On windows works fine

Version 2.3.4-HEAD-209c26b
Using rizin 0.7.1 @ windows-x86-64 commit: 7cb15e769c9e8d83de041634dc8a35634ee1cbb7
Based on Qt 5.15.2 (MSVC 2017, 64 bit)

[wargio]

the windows version is using the Github release? can you try also the appimage from the latest release?

[XVilka]

I can reproduce with just Rizin:

cutter/3376/hoi4 took 37.3s                                                                                                                                                                                 23:16:42
ℤ lldb rizin
(lldb) target create "rizin"
Current executable set to '/Users/xvilka/.local/bin/rizin' (arm64).
(lldb) run hoi4.exe
Process 70328 launched: '/Users/xvilka/.local/bin/rizin' (arm64)
WARNING: bin_file_strings: search interval size (0x1063400) exeeds max region size (0xa00000), skipping it.
WARNING: bin_file_strings: search interval size (0x1063400) exeeds max region size (0xa00000), skipping it.
 -- Change your fortune types with 'e cfg.fortunes.file=fun,tips' in your ~/.rizinrc
[0x140eedf6c]> idp
Process 70328 stopped
* thread rizinorg/cutter#1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x000000018365f904 libsystem_platform.dylib`_platform_strlen + 4
libsystem_platform.dylib`:
->  0x18365f904 <+4>:  ldr    q0, [x1]
    0x18365f908 <+8>:  adr    x3, #-0xc8                ; ___lldb_unnamed_symbol290
    0x18365f90c <+12>: ldr    q2, [x3], #0x10
    0x18365f910 <+16>: and    x2, x0, #0xf
Target 0: (rizin) stopped.
(lldb) bt
* thread rizinorg/cutter#1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000018365f904 libsystem_platform.dylib`_platform_strlen + 4
    frame rizinorg/cutter#1: 0x00000001834c9a58 libsystem_c.dylib`strdup + 28
    frame rizinorg/cutter#2: 0x000000010215d404 librz_arch.0.8.dylib`mfunction_parse(typedb=0x000000015b804410, stream=0x00006000020a0000, type_info=0x00006000040eeea0, name=0x0000000000000000) at pdb_process.c:204:25 [opt]
    frame rizinorg/cutter#3: 0x000000010215c9e8 librz_arch.0.8.dylib`pdb_type_parse(typedb=0x000000015b804410, stream=0x00006000020a0000, type=<unavailable>, name=0x0000000000000000) at pdb_process.c:756:10 [opt] [artificial]
    frame rizinorg/cutter#4: 0x000000010215c8f4 librz_arch.0.8.dylib`pdb_type_parse at pdb_process.c:118:17 [opt]
    frame rizinorg/cutter#5: 0x000000010215c8b0 librz_arch.0.8.dylib`pdb_type_parse(typedb=0x000000015b804410, stream=0x00006000020a0000, type=0x0000600001fab680, name=0x0000000000000000) at pdb_process.c:752:10 [opt]
    frame rizinorg/cutter#6: 0x000000010215d804 librz_arch.0.8.dylib`nest_parse(typedb=0x000000015b804410, stream=0x00006000020a0000, type_info=0x0000600001fabb80, name=<unavailable>) at pdb_process.c:304:18 [opt]
    frame rizinorg/cutter#7: 0x000000010215c6ac librz_arch.0.8.dylib`pdb_type_parse [inlined] class_member_parse(typedb=<unavailable>, stream=<unavailable>, t=<unavailable>) at pdb_process.c:344:10 [opt]
    frame rizinorg/cutter#8: 0x000000010215c68c librz_arch.0.8.dylib`pdb_type_parse at pdb_process.c:482:39 [opt]
    frame rizinorg/cutter#9: 0x000000010215c4d8 librz_arch.0.8.dylib`pdb_type_parse(typedb=0x000000015b804410, stream=0x00006000020a0000, type=0x0000600001fabd80, name=0x0000000000000000) at pdb_process.c:742:10 [opt]
    frame rizinorg/cutter#10: 0x000000010215d354 librz_arch.0.8.dylib`rz_type_db_pdb_load [inlined] rz_type_db_pdb_parse(typedb=0x000000015b804410, stream=0x00006000020a0000, type=<unavailable>) at pdb_process.c:793:9 [opt]
    frame rizinorg/cutter#11: 0x000000010215d344 librz_arch.0.8.dylib`rz_type_db_pdb_load(typedb=0x000000015b804410, pdb=0x0000600002735f80) at pdb_process.c:818:4 [opt]
    frame rizinorg/cutter#12: 0x00000001010d1aac librz_core.0.8.dylib`rz_core_pdb_load_info(core=0x000000015c008a00, file="hoi4.pdb") at cpdb.c:327:2 [opt]
    frame rizinorg/cutter#13: 0x00000001010ae844 librz_core.0.8.dylib`rz_core_bin_pdb_load(core=0x000000015c008a00, filename=<unavailable>) at cbin.c:5316:15 [opt]
    frame rizinorg/cutter#14: 0x0000000101164ae4 librz_core.0.8.dylib`rz_cmd_info_pdb_load_handler(core=0x000000015c008a00, argc=<unavailable>, argv=<unavailable>, state=<unavailable>) at cmd_info.c:488:35 [opt]
    frame rizinorg/cutter#15: 0x00000001011594a8 librz_core.0.8.dylib`rz_cmd_call_parsed_args at cmd_api.c:761:21 [opt]
    frame rizinorg/cutter#16: 0x0000000101159464 librz_core.0.8.dylib`rz_cmd_call_parsed_args [inlined] call_cd(cmd=<unavailable>, cd=0x000060000282c3f0, args=0x000060000033aa60) at cmd_api.c:798:10 [opt]
    frame rizinorg/cutter#17: 0x0000000101159464 librz_core.0.8.dylib`rz_cmd_call_parsed_args(cmd=<unavailable>, args=0x000060000033aa60) at cmd_api.c:816:9 [opt]
    frame rizinorg/cutter#18: 0x0000000101148fb0 librz_core.0.8.dylib`handle_ts_arged_stmt [inlined] handle_ts_arged_stmt_internal(state=0x000000016fdfe628, node=TSNode @ 0x000000016fdfe380, node_string="idp") at cmd.c:3560:8 [opt]
    frame rizinorg/cutter#19: 0x0000000101148c3c librz_core.0.8.dylib`handle_ts_arged_stmt(state=0x000000016fdfe628, node=<unavailable>) at cmd.c:3508:1 [opt]
    frame rizinorg/cutter#20: 0x00000001011534d8 librz_core.0.8.dylib`handle_ts_stmt(state=0x000000016fdfe628, node=TSNode @ 0x000000016fdfe570) at cmd.c:5118:9 [opt]
    frame rizinorg/cutter#21: 0x0000000101153288 librz_core.0.8.dylib`handle_ts_statements_internal(state=0x000000016fdfe628, node=TSNode @ 0x000000016fdfe710, node_string=<unavailable>) at cmd.c:5175:25 [opt]
    frame rizinorg/cutter#22: 0x000000010114f840 librz_core.0.8.dylib`core_cmd_tsrzcmd [inlined] handle_ts_statements(state=0x000000016fdfe628, node=TSNode @ 0x000000016fdfe600) at cmd.c:5140:1 [opt]
    frame rizinorg/cutter#23: 0x000000010114f7bc librz_core.0.8.dylib`core_cmd_tsrzcmd(core=0x000000015c008a00, cstr=<unavailable>, split_lines=<unavailable>, log=<unavailable>) at cmd.c:5287:9 [opt]
    frame rizinorg/cutter#24: 0x0000000101110ac8 librz_core.0.8.dylib`rz_core_cmd(core=<unavailable>, cstr=<unavailable>, log=1) at cmd.c:5335:27 [opt]
    frame rizinorg/cutter#25: 0x00000001010cfcec librz_core.0.8.dylib`rz_core_prompt_loop [inlined] rz_core_prompt_exec(r=0x000000015c008a00) at core.c:1936:12 [opt]
    frame rizinorg/cutter#26: 0x00000001010cfcdc librz_core.0.8.dylib`rz_core_prompt_loop(r=0x000000015c008a00) at core.c:1805:14 [opt]
    frame rizinorg/cutter#27: 0x00000001004a61a4 librz_main.0.8.dylib`rz_main_rizin(argc=<unavailable>, argv=0x000000016fdfec68) at rizin.c:1462:3 [opt]
    frame rizinorg/cutter#28: 0x00000001832a7154 dyld`start + 2476
(lldb)

[Sanceilaks]

the windows version is using the Github release? can you try also the appimage from the latest release?

same