fileinfo crashes during reconstruction of .NET types

[s3rvac]

fileinfo crashes during reconstruction of .NET types in the PE binary below.

Input

Run

$ retdec-fileinfo FILE

where FILE is:

• 057CC3829D8EBA8AEBC3043EEA40AF5B05E1EB229012136B43134728E1B46D63
• 54FB1B3D36EB3FB13A3C565A7C7A0A7E2190E0724014488DF60713F2276A379C

Output

Segmentation fault

Expected output

fileinfo does not crash when analyzing the file.

Output from valgrind

==16969== Invalid read of size 8
==16969==    at 0x2DBA3C: std::vector<retdec::fileformat::AssemblyRef, std::allocator<retdec::fileformat::AssemblyRef> >::size() const (stl_vector.h:806)
==16969==    by 0x2D835E: retdec::fileformat::MetadataTable<retdec::fileformat::AssemblyRef>::getRow(unsigned long) const (metadata_table.h:98)
==16969==    by 0x382320: retdec::fileformat::DotnetTypeReconstructor::createClassReference(retdec::fileformat::TypeRef const*, unsigned long) (dotnet_type_reconstructor.cpp:843)
==16969==    by 0x3802D1: retdec::fileformat::DotnetTypeReconstructor::reconstructClasses() (dotnet_type_reconstructor.cpp:401)
==16969==    by 0x37F853: retdec::fileformat::DotnetTypeReconstructor::reconstruct() (dotnet_type_reconstructor.cpp:227)
==16969==    by 0x2C588B: retdec::fileformat::PeFormat::detectDotnetTypes() (pe_format.cpp:1895)
==16969==    by 0x2C3151: retdec::fileformat::PeFormat::loadDotnetHeaders() (pe_format.cpp:1259)
==16969==    by 0x2BE54D: retdec::fileformat::PeFormat::initStructures() (pe_format.cpp:403)
==16969==    by 0x2BDC93: retdec::fileformat::PeFormat::PeFormat(...) (pe_format.cpp:297)
==16969==    by 0x225ADA: fileinfo::PeWrapper::PeWrapper(...) (pe_wrapper.cpp:96)
==16969==    by 0x19C9D4: void __gnu_cxx::new_allocator<fileinfo::PeWrapper>::construct<...>(..) (new_allocator.h:136)
==16969==    by 0x19C893: void std::allocator_traits<...>::construct<...>(...) (alloc_traits.h:475)
==16969==  Address 0x18 is not stack'd, malloc'd or (recently) free'd

Configuration

• Commit: bfd6efb (current master)
• 64b Arch Linux, GCC 8.2.1, Debug build of RetDec

[s3rvac]

I have analyzed this. In src/fileformat/types/dotnet_types/dotnet_type_reconstructor.cpp, there is the following piece of code:

842         auto assemblyRefTable = static_cast<const MetadataTable<AssemblyRef>*>(metadataStream->getMetadataTable(MetadataTableType::AssemblyRef));
843         auto assemblyRef = assemblyRefTable->getRow(typeRef->resolutionScope.getIndex());

The problem is that when analyzing the reported files, assemblyRefTable on line 842 is the null pointer, and so the call to assemblyRefTable->getRow() segfaults due to a null pointer access.

@metthal Would returning nullptr from DotnetTypeReconstructor::createClassReference() when assemblyRefTable is nullptr be the correct fix here or is something wrong at an earlier place?

[metthal]

Yes, returning nullptr when assemblyRefTable is nullptr should be valid fix. That situation when TypeRef records refers to AssemblyRef table while AssemblyRef table is missing shouldn't really happen so something must be wrong with those files.

@JakubPruzinec could you please verify since you are author of this code? Would it for example make sense to set classLibName to empty string?

[JakubPruzinec]

Thx for letting me know. Indeed, the check was missing.
#511

[s3rvac]

Fixed by @JakubPruzinec in #511.