DBG: fixed a nice heap overflow

x64_dbg_dbg/command.cpp

@@ -302,10 +302,9 @@ static void specialformat(char* string)
 {
     int len = (int)strlen(string);
     char* found = strstr(string, "=");
-    char* str = (char*)emalloc(len * 2, "specialformat:str");
-    char* backup = (char*)emalloc(len + 1, "specialformat:backup");
-    strcpy(backup, string); //create a backup of the string
-    memset(str, 0, len * 2);
+    char str[deflen] = "";
+    char backup[deflen] = "";
+    strcpy_s(backup, string); //create a backup of the string
     if(found) //contains =
     {
         char* a = (found - 1);
@@ -314,48 +313,37 @@ static void specialformat(char* string)
         if(!*found)
         {
             *found = '=';
-            efree(str, "specialformat:str");
-            efree(backup, "specialformat:backup");
             return;
         }
-        int flen = (int)strlen(found); //n(+)=n++
-        if((found[flen - 1] == '+' && found[flen - 2] == '+') || (found[flen - 1] == '-' && found[flen - 2] == '-')) //eax++/eax--
-        {
-            found[flen - 2] = 0;
-            char op = found[flen - 1];
-            sprintf(str, "%s%c1", found, op);
-            strcpy(found, str);
-        }
+
         if(mathisoperator(*a)) //x*=3 -> x=x*3
         {
             char op = *a;
             *a = 0;
             if(isvalidexpression(string))
-                sprintf(str, "mov %s,%s%c%s", string, string, op, found);
+                sprintf_s(str, "mov %s,%s%c%s", string, string, op, found);
             else
-                strcpy(str, backup);
+                strcpy_s(str, backup);
         }
-        else
+        else //x=y
         {
             if(isvalidexpression(found))
-                sprintf(str, "mov %s,%s", string, found);
+                sprintf_s(str, "mov %s,%s", string, found);
             else
-                strcpy(str, backup);
+                strcpy_s(str, backup);
         }
-        strcpy(string, str);
+        strcpy_s(string, deflen, str);
     }
     else if((string[len - 1] == '+' && string[len - 2] == '+') || (string[len - 1] == '-' && string[len - 2] == '-')) //eax++/eax--
     {
         string[len - 2] = 0;
         char op = string[len - 1];
         if(isvalidexpression(string))
-            sprintf(str, "mov %s,%s%c1", string, string, op);
+            sprintf_s(str, "mov %s,%s%c1", string, string, op);
         else
-            strcpy(str, backup);
-        strcpy(string, str);
+            strcpy_s(str, backup);
+        strcpy_s(string, deflen, str);
     }
-    efree(str, "specialformat:str");
-    efree(backup, "specialformat:backup");
 }
 
 /*

x64_dbg_dbg/expressionparser.cpp

@@ -7,17 +7,17 @@ ExpressionParser::Token::Token(const String & data, const Type type)
     _type = type;
 }
 
-const String ExpressionParser::Token::data() const
+const String & ExpressionParser::Token::data() const
 {
     return _data;
 }
 
-const ExpressionParser::Token::Type ExpressionParser::Token::type() const
+ExpressionParser::Token::Type ExpressionParser::Token::type() const
 {
     return _type;
 }
 
-const ExpressionParser::Token::Associativity ExpressionParser::Token::associativity() const
+ExpressionParser::Token::Associativity ExpressionParser::Token::associativity() const
 {
     switch(_type)
     {
@@ -41,7 +41,7 @@ const ExpressionParser::Token::Associativity ExpressionParser::Token::associativ
     }
 }
 
-const int ExpressionParser::Token::precedence() const
+int ExpressionParser::Token::precedence() const
 {
     switch(_type)
     {
@@ -70,13 +70,15 @@ const int ExpressionParser::Token::precedence() const
     }
 }
 
-const bool ExpressionParser::Token::isOperator() const
+bool ExpressionParser::Token::isOperator() const
 {
     return _type != Type::Data && _type != Type::OpenBracket && _type != Type::CloseBracket;
 }
 
 ExpressionParser::ExpressionParser(const String & expression)
 {
+    _tokens.clear();
+    _prefixTokens.clear();
     tokenize(fixClosingBrackets(expression));
     shuntingYard();
 }
@@ -386,11 +388,9 @@ bool ExpressionParser::calculate(uint & value, bool signedcalc, bool silent, boo
     if(!_prefixTokens.size())
         return false;
     std::stack<uint> stack;
-    size_t len = _prefixTokens.size();
     //calculate the result from the RPN queue
-    for(size_t i = 0; i < len; i++)
+    for(const auto & token : _prefixTokens)
     {
-        Token & token = _prefixTokens[i];
         if(token.isOperator())
         {
             uint op1 = 0;

x64_dbg_dbg/expressionparser.h

@@ -40,11 +40,11 @@ public:
         };
 
         Token(const String & data, const Type type);
-        const String data() const;
-        const Type type() const;
-        const Associativity associativity() const;
-        const int precedence() const;
-        const bool isOperator() const;
+        const String & data() const;
+        Type type() const;
+        Associativity associativity() const;
+        int precedence() const;
+        bool isOperator() const;
 
     private:
         String _data;