Hello,
I found a reproducible crash in radbin when converting a malformed PDB/MSF file.
A crafted MSF file can set the MSF page size to zero. During MSF stream-table parsing, this value reaches msf_raw_stream_table_from_data() and causes an integer division by zero.
This appears distinct from existing radbin/PDB crash reports such as #803 and #792: this issue occurs in the MSF stream-table parser with page_size == 0, not in namespace lookup or later PDB conversion logic.
Tested version
Repository: EpicGames/raddebugger
Commit/version tested: eb87cb0
Tool: radbin
Platform: x86_64 Linux
Reproduction
./radbin tc3_msf70_page_size_zero.pdb --out:/tmp/out.rdi
A second minimal variant also reaches the same crash:
./radbin tc7_msf20_truncated.pdb --out:/tmp/out.rdi
Observed result
Plain build:
Floating point exception
ASan/UBSan build:
runtime error: division by zero
#0 msf_raw_stream_table_from_data src/msf/msf_parse.c:48
#1 p2r_convert src/rdi_from_pdb/rdi_from_pdb.c:411
Root cause
msf_raw_stream_table_from_data() derives or reads an MSF page size from the input file and later uses it as a divisor while computing the page count / stream table layout. A malformed input can make the page size zero, which is not rejected before the division.
Conceptually, the parser should reject page_size == 0 before any division or page-count calculation.
Impact
A malformed PDB/MSF file can crash radbin during conversion. I am not claiming code execution; the demonstrated impact is process crash / denial of service.
Suggested fix
Reject zero page size before calculating page counts or stream table offsets, for example:
if (page_size == 0) {
goto parse_done;
}
or return a parse error before calling any division helper with page_size as the divisor.
I have a minimized PoC package and sanitizer logs available if useful.
Hello,
I found a reproducible crash in radbin when converting a malformed PDB/MSF file.
A crafted MSF file can set the MSF page size to zero. During MSF stream-table parsing, this value reaches msf_raw_stream_table_from_data() and causes an integer division by zero.
This appears distinct from existing radbin/PDB crash reports such as #803 and #792: this issue occurs in the MSF stream-table parser with page_size == 0, not in namespace lookup or later PDB conversion logic.
Tested version
Repository: EpicGames/raddebugger
Commit/version tested: eb87cb0
Tool: radbin
Platform: x86_64 Linux
Reproduction
./radbin tc3_msf70_page_size_zero.pdb --out:/tmp/out.rdi
A second minimal variant also reaches the same crash:
./radbin tc7_msf20_truncated.pdb --out:/tmp/out.rdi
Observed result
Plain build:
Floating point exception
ASan/UBSan build:
runtime error: division by zero
#0 msf_raw_stream_table_from_data src/msf/msf_parse.c:48
#1 p2r_convert src/rdi_from_pdb/rdi_from_pdb.c:411
Root cause
msf_raw_stream_table_from_data() derives or reads an MSF page size from the input file and later uses it as a divisor while computing the page count / stream table layout. A malformed input can make the page size zero, which is not rejected before the division.
Conceptually, the parser should reject page_size == 0 before any division or page-count calculation.
Impact
A malformed PDB/MSF file can crash radbin during conversion. I am not claiming code execution; the demonstrated impact is process crash / denial of service.
Suggested fix
Reject zero page size before calculating page counts or stream table offsets, for example:
if (page_size == 0) {
goto parse_done;
}
or return a parse error before calling any division helper with page_size as the divisor.
I have a minimized PoC package and sanitizer logs available if useful.