Add corrupted list check and more headers

rizinorg · Jun 10, 2021 · 8efb91b · 8efb91b
1 parent 986c47d
commit 8efb91b
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 3 deletions.
diff --git a/librz/core/linux_heap_glibc.c b/librz/core/linux_heap_glibc.c
@@ -558,7 +558,7 @@ void GH(print_heap_chunk)(RzCore *core, GHT chunk) {
  * @param addr Base address of the chunk
  * @return RzHeapChunk struct pointer of the chunk
  */
-RZ_API GH(RzHeapChunk) * GH(rz_get_heap_chunk_at_addr)(RzCore *core, ut64 addr) {
+RZ_API GH(RzHeapChunk) * GH(rz_get_heap_chunk_at_addr)(RzCore *core, GHT addr) {
 	GH(RzHeapChunk) *cnk = RZ_NEW0(GH(RzHeapChunk));
 	if (!cnk) {
 		return NULL;
@@ -1377,9 +1377,26 @@ RZ_API RzList *GH(rz_get_bin_content_list)(RzCore *core, MallocState *main_arena
 	}
 	GH(RzHeapChunk) *cnk = RZ_NEW0(GH(RzHeapChunk));
 	if (!cnk) {
-		return 0;
+		return chunks;
+	}
+	GHT brk_start = GHT_MAX, brk_end = GHT_MAX, initial_brk = GHT_MAX;
+	GH(get_brks)
+	(core, &brk_start, &brk_end);
+	if (brk_start == GHT_MAX || brk_end == GHT_MAX) {
+		eprintf("No Heap section\n");
+		return chunks;
+	}
+	const int tcache = rz_config_get_i(core->config, "dbg.glibc.tcache");
+	if (tcache) {
+		const int fc_offset = rz_config_get_i(core->config, "dbg.glibc.fc_offset");
+		initial_brk = ((brk_start >> 12) << 12) + fc_offset;
+	} else {
+		initial_brk = (brk_start >> 12) << 12;
 	}
 	while (fw != head->fd) {
+		if (fw > main_arena->GH(top) || fw < initial_brk) {
+			break;
+		}
 		rz_io_read_at(core->io, fw, (ut8 *)cnk, sizeof(GH(RzHeapChunk)));
 		RzHeapChunkListItem *chunk = malloc(sizeof(RzHeapChunkListItem));
 		chunk->addr = fw;

diff --git a/librz/include/rz_core.h b/librz/include/rz_core.h
@@ -772,15 +772,21 @@ RZ_API void rz_core_sysenv_end(RzCore *core, const char *cmd);
 
 RZ_API void rz_core_recover_vars(RzCore *core, RzAnalysisFunction *fcn, bool argonly);
 
-/* linux_heap_glibc */
+/* linux_heap_glibc.c */
 RZ_API RzHeapChunk_64 *rz_get_heap_chunk_at_addr_64(RzCore *core, ut64 addr);
 RZ_API RzList *rz_get_bin_content_list_64(RzCore *core, MallocState *main_arena, int bin_num);
 RZ_API RzList *rz_get_arenas_list_64(RzCore *core, ut64 m_arena, MallocState *main_arena);
 RZ_API RzList *rz_get_heap_chunks_list_64(RzCore *core, MallocState *main_arena, ut64 m_arena, ut64 m_state);
 RZ_API bool rz_resolve_main_arena_64(RzCore *core, ut64 *m_arena);
 RZ_API bool rz_update_main_arena_64(RzCore *core, ut64 m_arena, MallocState *main_arena);
 RZ_API RzList *rz_get_tcache_list_64(RzCore *core, ut64 m_arena, MallocState *main_arena, bool main_thread_only);
+RZ_API RzHeapChunk_32 *rz_get_heap_chunk_at_addr_32(RzCore *core, ut32 addr);
+RZ_API RzList *rz_get_bin_content_list_32(RzCore *core, MallocState *main_arena, int bin_num);
 RZ_API RzList *rz_get_arenas_list_32(RzCore *core, ut32 m_arena, MallocState *main_arena);
+RZ_API RzList *rz_get_heap_chunks_list_32(RzCore *core, MallocState *main_arena, ut32 m_arena, ut32 m_state);
+RZ_API bool rz_resolve_main_arena_32(RzCore *core, ut32 *m_arena);
+RZ_API bool rz_update_main_arena_32(RzCore *core, ut32 m_arena, MallocState *main_arena);
+RZ_API RzList *rz_get_tcache_list_32(RzCore *core, ut32 m_arena, MallocState *main_arena, bool main_thread_only);
 // XXX dupe from rz_bin.h
 /* bin.c */
 #define RZ_CORE_BIN_ACC_STRINGS          0x001