Skip to content

Commit

Permalink
Fix #2889 - Fix use after free in rnum
Browse files Browse the repository at this point in the history
  • Loading branch information
radare committed Jul 8, 2015
1 parent 41d12ff commit 61eb7d3
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 6 deletions.
15 changes: 9 additions & 6 deletions libr/core/core.c
Original file line number Diff line number Diff line change
Expand Up @@ -141,13 +141,16 @@ static ut64 num_callback(RNum *userptr, const char *str, int *ok) {
}
// push state
{
if (str[1]) {
if (str[0] && str[1]) {
const char *q;
char *o = strdup (str+1);
const char *q = r_num_calc_index (core->num, NULL);
r_str_replace_char (o, ']', 0);
n = r_num_math (core->num, o);
r_num_calc_index (core->num, q);
free (o);
if (o) {
q = r_num_calc_index (core->num, NULL);
r_str_replace_char (o, ']', 0);
n = r_num_math (core->num, o);
r_num_calc_index (core->num, q);
free (o);
}
}
}
// pop state
Expand Down
4 changes: 4 additions & 0 deletions libr/util/calc.c
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,10 @@ R_API const char *r_num_calc_index (RNum *num, const char *p) {
num->nc.calc_buf = p;
num->nc.calc_len = strlen (p);
num->nc.calc_i = 0;
} else {
num->nc.calc_buf = NULL;
num->nc.calc_len = 0;
num->nc.calc_i = 0;
}
//if (num->nc.calc_i>num->nc.calc_len) return NULL;
return num->nc.calc_buf + num->nc.calc_i;
Expand Down

1 comment on commit 61eb7d3

@XVilka
Copy link
Contributor

@XVilka XVilka commented on 61eb7d3 Jul 8, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Failing 3 feat_arithmetic: div [0] test.

Please sign in to comment.