From 1a2f205336bfa6b32e2401a5521b188a05ed4133 Mon Sep 17 00:00:00 2001
From: Khairul Azhar Kasmiran <kazarmy@gmail.com>
Date: Tue, 14 May 2024 20:44:51 +0800
Subject: [PATCH] Fix mach064 UAF by leaking imports

---
 librz/bin/bobj.c       | 21 +++++++++++++++------
 librz/include/rz_bin.h |  3 ++-
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/librz/bin/bobj.c b/librz/bin/bobj.c
index 5d86fc665d4..9978b2d3ec6 100644
--- a/librz/bin/bobj.c
+++ b/librz/bin/bobj.c
@@ -125,8 +125,13 @@ RZ_API RzBinRelocStorage *rz_bin_reloc_storage_new(RZ_OWN RzPVector /*<RzBinRelo
 	ret->target_relocs_count = rz_pvector_len(&target_sorter);
 	ret->target_relocs = (RzBinReloc **)rz_pvector_flush(&target_sorter);
 	rz_pvector_fini(&target_sorter);
-	if (plugin && !strcmp(plugin->name, "coff")) {
-		ret->sym_imp_shared = true;
+	if (plugin) {
+		if (!strcmp(plugin->name, "coff")) {
+			ret->imp_shared = true;
+			ret->sym_shared = true;
+		} else if (!strcmp(plugin->name, "mach064")) {
+			ret->imp_shared = true;
+		}
 	}
 	return ret;
 }
@@ -136,10 +141,14 @@ RZ_API void rz_bin_reloc_storage_free(RzBinRelocStorage *storage) {
 		return;
 	}
 	for (size_t i = 0; i < storage->relocs_count; i++) {
-		if (storage->sym_imp_shared) {
-			free(storage->relocs[i]); // Not freeing symbol and import
-		} else {
-			rz_bin_reloc_free(storage->relocs[i]);
+		if (storage->relocs[i]) {
+			if (!storage->imp_shared) {
+				rz_bin_import_free(storage->relocs[i]->import);
+			}
+			if (!storage->sym_shared) {
+				rz_bin_symbol_free(storage->relocs[i]->symbol);
+			}
+			free(storage->relocs[i]);
 		}
 	}
 	free(storage->relocs);
diff --git a/librz/include/rz_bin.h b/librz/include/rz_bin.h
index 43a9ba8ca26..67e25e534c6 100644
--- a/librz/include/rz_bin.h
+++ b/librz/include/rz_bin.h
@@ -682,7 +682,8 @@ struct rz_bin_reloc_storage_t {
 	size_t relocs_count;
 	RzBinReloc **target_relocs; ///< all relocs that have a valid target_vaddr, ordered by their target_vaddr. size is target_relocs_count!
 	size_t target_relocs_count;
-	bool sym_imp_shared; // plugin frees reloc symbols and imports
+	bool imp_shared; // plugin frees reloc imports
+	bool sym_shared; // plugin frees reloc symbols
 }; // RzBinRelocStorage
 
 RZ_API RzBinRelocStorage *rz_bin_reloc_storage_new(RZ_OWN RzPVector /*<RzBinReloc *>*/ *relocs, RzBinPlugin *plugin);