Invia #850383: radareorg radare2 6.1.6 Out-of-Bounds Readinformazioni

Titoloradareorg radare2 6.1.6 Out-of-Bounds Read
Descrizione> This report was generated by AI and manually verified by a human. ## Environment ```sh # copypaste this script into your shell and replace it with the output date r2 -v uname -ms ``` ## Description `r_bin_java_line_number_table_attr_new` in `shlr/java/class.c` can read beyond the end of a short `LineNumberTable` attribute buffer. The function accepts a 6-byte buffer, advances its internal offset to 6, and then reads a Java `ushort` at `buffer + offset`. That read needs bytes 6 and 7, but the supplied allocation only has valid indexes 0 through 5. ASan reports a heap-buffer-overflow at `shlr/java/class.c:3761`. The expected behavior is for the parser to require enough bytes for the next `ushort` before reading it, or to reject the malformed attribute. ## Test PoC: - [line_number_table_oob_harness.c](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-015/pocs/line_number_table_oob_harness.c) - [run_harness.sh](https://github.com/Bin-infinite/vuln-validations/blob/main/radare2/target/case-015/pocs/run_harness.sh) Reproducer: ```sh ROOT="$PWD" curl -LO https://raw.githubusercontent.com/Bin-infinite/vuln-validations/main/radare2/target/case-015/pocs/line_number_table_oob_harness.c clang -fsanitize=address,undefined -fno-omit-frame-pointer -g -O0 \ -I"$ROOT/libr/include" \ -I"$ROOT/build" \ -I"$ROOT/shlr/sdb/include" \ -I"$ROOT/shlr/java" \ -L"$ROOT/build/libr/util" \ -Wl,-rpath,"$ROOT/build/libr/util" \ -o /tmp/line_number_table_oob_harness \ line_number_table_oob_harness.c \ -lr_util ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_leaks=0 \ UBSAN_OPTIONS=halt_on_error=0:print_stacktrace=1 \ /tmp/line_number_table_oob_harness ``` Expected sanitizer result: ```text ERROR: AddressSanitizer: heap-buffer-overflow SUMMARY: AddressSanitizer: heap-buffer-overflow ... shlr/java/class.c:3761 in r_bin_java_line_number_table_attr_new ``` Stack trace excerpt: ```text ERROR: AddressSanitizer: heap-buffer-overflow READ of size 1 #0 r_bin_java_line_number_table_attr_new shlr/java/class.c:3761 #1 main row-validation-output/case-015/pocs/line_number_table_oob_harness.c:45 0x5020000000b7 is located 1 bytes after 6-byte region [0x5020000000b0,0x5020000000b6) allocated by thread T0 here: #0 malloc asan_malloc_linux.cpp:69 #1 main row-validation-output/case-015/pocs/line_number_table_oob_harness.c:34 SUMMARY: AddressSanitizer: heap-buffer-overflow shlr/java/class.c:3761 in r_bin_java_line_number_table_attr_new ```
Fonte⚠️ https://github.com/radareorg/radare2/issues/26043
Utente
 Kery Qi (UID 94424)
Sottomissione06/06/2026 07:24 (29 giorni fa)
Moderazione04/07/2026 18:19 (28 days later)
StatoAccettato
Voce VulDB376348 [radareorg radare2 fino a 6.1.6 RBinJava Line Number Table Parser shlr/java/class.c r_bin_java_inner_classes_attr_calc_size buffer overflow]
Punti20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!