DBG+BRIDGE+GUI: fixed possible out-of-range access related to data disassembly

src/bridge/bridgemain.cpp

@@ -956,9 +956,9 @@ BRIDGE_IMPEXP ARGTYPE DbgGetArgTypeAt(duint addr)
     return ARG_MIDDLE;
 }
 
-BRIDGE_IMPEXP void* DbgGetEncodeTypeBuffer(duint addr)
+BRIDGE_IMPEXP void* DbgGetEncodeTypeBuffer(duint addr, duint* size)
 {
-    return (void*)_dbg_sendmessage(DBG_GET_ENCODE_TYPE_BUFFER, (void*)addr, nullptr);
+    return (void*)_dbg_sendmessage(DBG_GET_ENCODE_TYPE_BUFFER, (void*)addr, size);
 }
 
 BRIDGE_IMPEXP void DbgReleaseEncodeTypeBuffer(void* buffer)

src/bridge/bridgemain.h

@@ -860,7 +860,7 @@ BRIDGE_IMPEXP bool DbgWinEventGlobal(MSG* message);
 BRIDGE_IMPEXP bool DbgIsRunning();
 BRIDGE_IMPEXP duint DbgGetTimeWastedCounter();
 BRIDGE_IMPEXP ARGTYPE DbgGetArgTypeAt(duint addr);
-BRIDGE_IMPEXP void* DbgGetEncodeTypeBuffer(duint addr);
+BRIDGE_IMPEXP void* DbgGetEncodeTypeBuffer(duint addr, duint* size);
 BRIDGE_IMPEXP void DbgReleaseEncodeTypeBuffer(void* buffer);
 BRIDGE_IMPEXP ENCODETYPE DbgGetEncodeTypeAt(duint addr, duint size);
 BRIDGE_IMPEXP duint DbgGetEncodeSizeAt(duint addr, duint codesize);

src/dbg/_exports.cpp

@@ -1180,7 +1180,7 @@ extern "C" DLL_EXPORT duint _dbg_sendmessage(DBGMSG type, void* param1, void* pa
 
     case DBG_GET_ENCODE_TYPE_BUFFER:
     {
-        return (duint)EncodeMapGetBuffer((duint)param1);
+        return (duint)EncodeMapGetBuffer((duint)param1, (duint*)param2);
     }
     break;
 

src/dbg/analysis/advancedanalysis.cpp

@@ -36,8 +36,9 @@ void AdvancedAnalysis::SetMarkers()
         for(const auto & function : mFunctions)
             FileHelper::WriteAllText(StringUtils::sprintf("cfgraph_%p.dot", function.entryPoint), function.ToDot());
 
-    byte* buffer = (byte*)EncodeMapGetBuffer(mBase, true);
-    memcpy(buffer, mEncMap, mSize);
+    duint encMapSize;
+    byte* buffer = (byte*)EncodeMapGetBuffer(mBase, &encMapSize, true);
+    memcpy(buffer, mEncMap, encMapSize);
     EncodeMapReleaseBuffer(buffer);
 
     XrefDelRange(mBase, mBase + mSize - 1);

src/dbg/encodemap.cpp

@@ -110,22 +110,24 @@ static bool EncodeMapGetorCreate(duint addr, ENCODEMAP & map, bool* created = nu
     return true;
 }
 
-void* EncodeMapGetBuffer(duint addr, bool create)
+void* EncodeMapGetBuffer(duint addr, duint* size, bool create)
 {
-    duint size;
-    auto base = MemFindBaseAddr(addr, &size);
+    auto base = MemFindBaseAddr(addr);
 
     ENCODEMAP map;
-    auto result = create ? EncodeMapGetorCreate(addr, map) : encmaps.Get(EncodeMap::VaKey(base), map);
-    if(result)
+    if(create ? EncodeMapGetorCreate(addr, map) : encmaps.Get(EncodeMap::VaKey(base), map))
     {
         auto offset = addr - base;
         if(offset < map.size)
         {
             IncreaseReferenceCount(map.data);
+            if(size)
+                *size = map.size;
             return map.data;
         }
     }
+    if(size)
+        *size = 0;
     return nullptr;
 }
 

src/dbg/encodemap.h

@@ -1,7 +1,7 @@
 #pragma once
 #include "_global.h"
 
-void* EncodeMapGetBuffer(duint addr, bool create = false);
+void* EncodeMapGetBuffer(duint addr, duint* size, bool create = false);
 void EncodeMapReleaseBuffer(void* buffer);
 ENCODETYPE EncodeMapGetType(duint addr, duint codesize);
 duint EncodeMapGetSize(duint addr, duint codesize);

src/dbg/memory.h

@@ -23,7 +23,7 @@ struct SimplePage
 
 void MemUpdateMap();
 void MemUpdateMapAsync();
-duint MemFindBaseAddr(duint Address, duint* Size, bool Refresh = false, bool FindReserved = false);
+duint MemFindBaseAddr(duint Address, duint* Size = nullptr, bool Refresh = false, bool FindReserved = false);
 bool MemRead(duint BaseAddress, void* Buffer, duint Size, duint* NumberOfBytesRead = nullptr, bool cache = false);
 bool MemReadUnsafe(duint BaseAddress, void* Buffer, duint Size, duint* NumberOfBytesRead = nullptr);
 bool MemWrite(duint BaseAddress, const void* Buffer, duint Size, duint* NumberOfBytesWritten = nullptr);

src/gui/Src/Utils/EncodeMap.cpp

@@ -1,6 +1,11 @@
 #include "EncodeMap.h"
 
-EncodeMap::EncodeMap(QObject* parent) : QObject(parent), mBase(0), mSize(0), mBuffer(nullptr)
+EncodeMap::EncodeMap(QObject* parent)
+    : QObject(parent),
+      mBase(0),
+      mSize(0),
+      mBuffer(nullptr),
+      mBufferSize(0)
 {
 }
 
@@ -18,7 +23,7 @@ void EncodeMap::setMemoryRegion(duint addr)
 
     if(mBuffer)
         DbgReleaseEncodeTypeBuffer(mBuffer);
-    mBuffer = (byte*)DbgGetEncodeTypeBuffer(addr);
+    mBuffer = (byte*)DbgGetEncodeTypeBuffer(addr, &mBufferSize);
 }
 
 void EncodeMap::setDataType(duint va, ENCODETYPE type)
@@ -50,7 +55,7 @@ void EncodeMap::delSegment(duint va)
 
 ENCODETYPE EncodeMap::getDataType(duint addr)
 {
-    if(!mBuffer || !inRange(addr))
+    if(!mBuffer || !inBufferRange(addr))
         return enc_unknown;
 
     return ENCODETYPE(mBuffer[addr - mBase]);
@@ -58,12 +63,10 @@ ENCODETYPE EncodeMap::getDataType(duint addr)
 
 duint EncodeMap::getDataSize(duint addr, duint codesize)
 {
-    if(!mBuffer || !inRange(addr))
+    if(!mBuffer || !inBufferRange(addr))
         return codesize;
 
-    duint offset = addr - mBase;
-
-    auto type = ENCODETYPE(mBuffer[offset]);
+    auto type = ENCODETYPE(mBuffer[addr - mBase]);
 
     auto datasize = getEncodeTypeSize(type);
     if(isCode(type))

src/gui/Src/Utils/EncodeMap.h

@@ -71,15 +71,16 @@ public:
         }
     }
 
-    inline bool inRange(duint addr)
+    inline bool inBufferRange(duint addr)
     {
-        return addr >= mBase && addr < mBase + mSize;
+        return addr >= mBase && addr < mBase + mBufferSize;
     }
 
 protected:
     duint mBase;
     duint mSize;
     byte* mBuffer;
+    duint mBufferSize;
 };
 
 #endif // ENCODEMAP_H