beaengine icon indicating copy to clipboard operation
beaengine copied to clipboard
verified publisher icon BeaEngine

Out-of-bounds access in FixOpSizeForMemoryOperand

Open 0vercl0k opened this issue 4 years ago • 0 comments

Hello,

I'm hitting an OOB read access in the below code:

void __bea_callspec__ FixOpSizeForMemoryOperand (PDISASM pMyDisasm)
{
  int i = GV.MemDecoration / 100;
  if (ArgsSize[GV.MemDecoration - (i*100+1)] != 0) {

Basically, the following arithmetic GV.MemDecoration - (i*100+1) is equal to -1 which makes it access 4 bytes before the array:

0:004> ?? pMyDisasm->Reserved_.MemDecoration
int 0n0
0:004> ?? i
int 0n0

This has been caught using address-sanitizer on Windows:

=================================================================
==16444==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7ff67bf4dbfc at pc 0x7ff67bbd3a36 bp 0x002bd7cfd680 sp 0x002bd7cfd688
READ of size 4 at 0x7ff67bf4dbfc thread T16777215
    #0 0x7ff67bbd3a35 in FixOpSizeForMemoryOperand C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c:192
    #1 0x7ff67bce538d in Disasm C:\work\codes\rp\src\third_party\beaengine\src\Includes\Routines_Disasm.c:35
    #2 0x7ff67ba75cfd in IntelBeaEngine::disass(unsigned char const *, unsigned __int64, unsigned __int64, enum DisassEngineReturn &) C:\work\codes\rp\src\rp\intelbeaengine.hpp:28

Cheers

0vercl0k avatar Jan 16 '22 17:01 0vercl0k