From fab5d2dfa23c30c083ae3c5738c8c0b7832b18cc Mon Sep 17 00:00:00 2001 From: Ajax Date: Thu, 15 Feb 2018 12:53:29 +0100 Subject: simp_compose: ensure the '/' is not rounded to 0, but really equals to --- test/expression/simplifications.py | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'test/expression/simplifications.py') diff --git a/test/expression/simplifications.py b/test/expression/simplifications.py index 0c516a8e..add689c7 100644 --- a/test/expression/simplifications.py +++ b/test/expression/simplifications.py @@ -411,6 +411,10 @@ to_test = [(ExprInt(1, 32) - ExprInt(1, 32), ExprInt(0, 32)), (a >> b >> c, a >> b >> c), # Left unmodified (a >> b_msb_null >> c_msb_null, a >> (b_msb_null + c_msb_null)), + + # Degenerated case from fuzzing, which had previously raised bugs + (ExprCompose(ExprInt(0x7, 3), ExprMem(ExprInt(0x39E21, 19), 1), ExprMem(ExprInt(0x39E21, 19), 1)), + ExprCompose(ExprInt(0x7, 3), ExprMem(ExprInt(0x39E21, 19), 1), ExprMem(ExprInt(0x39E21, 19), 1))), ] for e_input, e_check in to_test: -- cgit 1.4.1 From 2c62e418735010b8f816bc0d4d23973392ddceab Mon Sep 17 00:00:00 2001 From: Ajax Date: Thu, 15 Feb 2018 12:58:10 +0100 Subject: 'simp_propag': avoid computing shifts when the size is too big (potential Python overflow) --- miasm2/expression/simplifications_common.py | 19 ++++++++++++++++--- test/expression/simplifications.py | 6 ++++++ 2 files changed, 22 insertions(+), 3 deletions(-) (limited to 'test/expression/simplifications.py') diff --git a/miasm2/expression/simplifications_common.py b/miasm2/expression/simplifications_common.py index d1b134f2..a1301cba 100644 --- a/miasm2/expression/simplifications_common.py +++ b/miasm2/expression/simplifications_common.py @@ -40,13 +40,26 @@ def simp_cst_propagation(e_s, expr): elif op_name == '|': out = int1.arg | int2.arg elif op_name == '>>': - out = int1.arg >> int2.arg + if int(int2) > int1.size: + out = 0 + else: + out = int1.arg >> int2.arg elif op_name == '<<': - out = int1.arg << int2.arg + if int(int2) > int1.size: + out = 0 + else: + out = int1.arg << int2.arg elif op_name == 'a>>': tmp1 = mod_size2int[int1.arg.size](int1.arg) tmp2 = mod_size2uint[int2.arg.size](int2.arg) - out = mod_size2uint[int1.arg.size](tmp1 >> tmp2) + if tmp2 > int1.size: + is_signed = int(int1) & (1 << (int1.size - 1)) + if is_signed: + out = -1 + else: + out = 0 + else: + out = mod_size2uint[int1.arg.size](tmp1 >> tmp2) elif op_name == '>>>': shifter = int2.arg % int2.size out = (int1.arg >> shifter) | (int1.arg << (int2.size - shifter)) diff --git a/test/expression/simplifications.py b/test/expression/simplifications.py index add689c7..76deb565 100644 --- a/test/expression/simplifications.py +++ b/test/expression/simplifications.py @@ -415,6 +415,12 @@ to_test = [(ExprInt(1, 32) - ExprInt(1, 32), ExprInt(0, 32)), # Degenerated case from fuzzing, which had previously raised bugs (ExprCompose(ExprInt(0x7, 3), ExprMem(ExprInt(0x39E21, 19), 1), ExprMem(ExprInt(0x39E21, 19), 1)), ExprCompose(ExprInt(0x7, 3), ExprMem(ExprInt(0x39E21, 19), 1), ExprMem(ExprInt(0x39E21, 19), 1))), + (ExprOp('>>', ExprInt(0x5E580475, 92), ExprInt(0x7D800000000000000331720, 92)), + ExprInt(0x0, 92)), + (ExprOp('a>>', ExprInt(0x5E580475, 92), ExprInt(0x7D800000000000000331720, 92)), + ExprInt(0x0, 92)), + (ExprOp('a>>', ExprInt(-0x5E580475, 92), ExprInt(0x7D800000000000000331720, 92)), + ExprInt(-1, 92)), ] for e_input, e_check in to_test: -- cgit 1.4.1