From 19682f1b58120534a28d2d6ed8e23e37927ffb08 Mon Sep 17 00:00:00 2001 From: Kyungwoo Lee Date: Tue, 5 Jan 2016 11:20:35 -0800 Subject: Fix buffer overrun and _atoi64 in ildasm PrettyPrintSigature allocates only 16 byte char array for prefix name, but the input string was synthesized from an 64 bit address -- szVarPrefix or szArgPrefix. The maximum number of decimal digits for 64 bit value is 21, which overflows the allocated buffer. Note actually ildasm even prepends '@' and appends '0' for the prefix name. The fix is to declare MAX_PREFIX_SIZE as 32 and use it everywhere for the purpose. This also fixes '_atoi64' which actually returns 32 bit value using '{PAL_}atol' in Unix. Instead, I imports 'atoll' for the use of '_atoi64', which correctly converts string to 64 bit integer. --- src/ildasm/dasm.cpp | 10 +++------- src/ildasm/dis.cpp | 10 +++------- 2 files changed, 6 insertions(+), 14 deletions(-) (limited to 'src/ildasm') diff --git a/src/ildasm/dasm.cpp b/src/ildasm/dasm.cpp index 8032af63d5..a220fa86bf 100644 --- a/src/ildasm/dasm.cpp +++ b/src/ildasm/dasm.cpp @@ -3447,7 +3447,7 @@ BOOL DumpMethod(mdToken FuncToken, const char *pszClassName, DWORD dwEntryPointT ULONG ulArgs=0; unsigned retParamIx = 0; unsigned uStringLen = SZSTRING_SIZE; - char szArgPrefix[32]; + char szArgPrefix[MAX_PREFIX_SIZE]; char* szptr = NULL; mdToken tkMVarOwner = g_tkMVarOwner; @@ -3627,7 +3627,7 @@ lDone: ; qbMemberSig.Shrink(0); // Get the argument names, if any - strcpy_s(szArgPrefix,32,(g_fThisIsInstanceMethod ? "A1": "A0")); + strcpy_s(szArgPrefix,MAX_PREFIX_SIZE,(g_fThisIsInstanceMethod ? "A1": "A0")); { PCCOR_SIGNATURE typePtr = pComSig; unsigned ulCallConv = CorSigUncompressData(typePtr); // get the calling convention out of the way @@ -3699,11 +3699,7 @@ lDone: ; sprintf_s(pszArgname[j].name,16,"A_%d",g_fThisIsInstanceMethod ? j+1 : j); } }// end for( along the argnames) -#ifdef _WIN64 - sprintf_s(szArgPrefix,32,"@%I64d0",(size_t)pszArgname); -#else - sprintf_s(szArgPrefix,32,"@%d0",(size_t)pszArgname); -#endif //_WIN64 + sprintf_s(szArgPrefix,MAX_PREFIX_SIZE,"@%Id0",(size_t)pszArgname); } //end if (ulArgs) g_pImport->EnumClose(&hArgEnum); } diff --git a/src/ildasm/dis.cpp b/src/ildasm/dis.cpp index 796271b356..48f4586ab9 100644 --- a/src/ildasm/dis.cpp +++ b/src/ildasm/dis.cpp @@ -915,7 +915,7 @@ BOOL Disassemble(IMDInternalImport *pImport, BYTE *ILHeader, void *GUICookie, md LineCodeDescr* pLCD = NULL; ParamDescriptor* pszLVname = NULL; ULONG ulVars=0; - char szVarPrefix[64]; + char szVarPrefix[MAX_PREFIX_SIZE]; // scope handling: DynamicArray daScope; ULONG ulScopes=0; @@ -928,7 +928,7 @@ BOOL Disassemble(IMDInternalImport *pImport, BYTE *ILHeader, void *GUICookie, md ULONG32 ulMethodCol[2]; BOOL fHasRangeInfo = FALSE; - strcpy_s(szVarPrefix,64,"V0"); + strcpy_s(szVarPrefix,MAX_PREFIX_SIZE,"V0"); if(g_pSymReader) { g_pSymReader->GetMethod(FuncToken,&pSymMethod); @@ -1048,11 +1048,7 @@ BOOL Disassemble(IMDInternalImport *pImport, BYTE *ILHeader, void *GUICookie, md LoadScope(pRootScope,&daScope,&ulScopes); qsort(&daScope[0],ulScopes,sizeof(LexScope),cmpLexScope); OpenScope(pRootScope,pszLVname,ulVars); -#ifdef _WIN64 - sprintf_s(szVarPrefix,64,"@%I64d0",(size_t)pszLVname); -#else - sprintf_s(szVarPrefix,64,"@%d0",(size_t)pszLVname); -#endif //_WIN64 + sprintf_s(szVarPrefix,MAX_PREFIX_SIZE,"@%Id0",(size_t)pszLVname); #ifndef SHOW_LEXICAL_SCOPES for(unsigned jjj = 0; jjj < ulScopes; jjj++) -- cgit v1.2.3