| عنوان | radareorg radare2 6.1.6 Out-of-Bounds Read |
|---|
| الوصف | > This report was generated by AI and manually verified by a human.
## Environment
```sh
# copypaste this script into your shell and replace it with the output
date
r2 -v
uname -ms
```
## Description
`r_bin_java_line_number_table_attr_new` in `shlr/java/class.c` can read beyond the end of a short `LineNumberTable` attribute buffer.
The function accepts a 6-byte buffer, advances its internal offset to 6, and then reads a Java `ushort` at `buffer + offset`. That read needs bytes 6 and 7, but the supplied allocation only has valid indexes 0 through 5. ASan reports a heap-buffer-overflow at `shlr/java/class.c:3761`.
The expected behavior is for the parser to require enough bytes for the next `ushort` before reading it, or to reject the malformed attribute.
## Test
PoC:
- [line_number_table_oob_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-015/pocs/line_number_table_oob_harness.c)
- [run_harness.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-015/pocs/run_harness.sh)
Reproducer:
```sh
ROOT="$PWD"
curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-015/pocs/line_number_table_oob_harness.c
clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \
-I"$ROOT/libr/include" \
-I"$ROOT/build" \
-I"$ROOT/shlr/sdb/include" \
-I"$ROOT/shlr/java" \
-L"$ROOT/build/libr/util" \
-Wl,-rpath,"$ROOT/build/libr/util" \
-o /tmp/line_number_table_oob_harness \
line_number_table_oob_harness.c \
-lr_util
ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_leaks=0 \
UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \
/tmp/line_number_table_oob_harness
```
Expected sanitizer result:
```text
ERROR: AddressSanitizer: heap-buffer-overflow
SUMMARY: AddressSanitizer: heap-buffer-overflow ... shlr/java/class.c:3761 in r_bin_java_line_number_table_attr_new
```
Stack trace excerpt:
```text
ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 1
#0 r_bin_java_line_number_table_attr_new shlr/java/class.c:3761
#1 main row-validation-output/case-015/pocs/line_number_table_oob_harness.c:45
0x5020000000b7 is located 1 bytes after 6-byte region [0x5020000000b0,0x5020000000b6)
allocated by thread T0 here:
#0 malloc asan_malloc_linux.cpp:69
#1 main row-validation-output/case-015/pocs/line_number_table_oob_harness.c:34
SUMMARY: AddressSanitizer: heap-buffer-overflow shlr/java/class.c:3761 in r_bin_java_line_number_table_attr_new
```
|
|---|
| المصدر | ⚠️ https://github.com/radareorg/radare2/issues/26043 |
|---|
| المستخدم | Kery Qi (UID 94424) |
|---|
| ارسال | 06/06/2026 07:24 AM (29 أيام منذ) |
|---|
| الاعتدال | 04/07/2026 06:19 PM (28 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 376348 [radareorg radare2 حتى 6.1.6 RBinJava Line Number Table Parser shlr/java/class.c r_bin_java_inner_classes_attr_calc_size تلف الذاكرة] |
|---|
| النقاط | 20 |
|---|