| Questions | Answers
|------------------------------------------------------|--------------------
| OS/arch/bits (mandatory) | Windows 7 x64
| File format of the file you reverse (mandatory) | PE
| Architecture/bits of the file (mandatory) | x86/64
| Cutter and r2 version, See About Cutter (mandatory) | Version 1.7.1 / Using r2 2.8.0
| Show version information full output (See About Cutter) in a pastebin document (mandatory) | I don't see what's there to say other than it's your default win64 1.7.1 release, let alone I'm not going to copy them by hand
Scroll flawlessly disassembly
Crash after some seconds
Open the executable in cutter (default analysis is fine)
Enable "asm.pseudo" in preferences.
Scroll up and down a bit.
r2 issue, crashes at Linux as well. To reproduce:
e asm.pseudo = truepdj 6@6442453038Because of buffer overflow here

In case asmop.buf_asm has a small string (<32 characters) the string is being stored inside inline RStrBuf::buf array and r_asm_op_get_asm returns a pointer to it. After passing this pointer to the r_parse_parse func this RStrBuf will be overwritten by it in case there are some replacement which is not fits in buf. For example these ones:

(parse_x86_pseudo.c)
In case RStrBuf holds a string bigger that 32 characters, this overflow will spoil heap.
Current implementation of r_parse_parse isn't safe, and requires refactoring...
Thanks
Fixed partially in https://github.com/radare/radare2/issues/11751 so I'm closing the issue.
That said, r_parse_parse is still vulnerable to buffer overflow and probably need reimplemntation in the radare2 side.
I think @a1ext can share more details
Most helpful comment
Because of buffer overflow here

In case
asmop.buf_asmhas a small string (<32 characters) the string is being stored inside inlineRStrBuf::bufarray andr_asm_op_get_asmreturns a pointer to it. After passing this pointer to ther_parse_parsefunc thisRStrBufwill be overwritten by it in case there are some replacement which is not fits inbuf. For example these ones:(
parse_x86_pseudo.c)In case RStrBuf holds a string bigger that 32 characters, this overflow will spoil heap.
Current implementation of
r_parse_parseisn't safe, and requires refactoring...Thanks