Hello,
I found another reproducible crash in radbin while converting a malformed PDB file.
This issue is separate from the MSF page-size division-by-zero issue I reported earlier. In this case, the malformed input reaches the PDB info parser, where an unknown/non-standard PDB version leaves an internal GUID pointer unset. The parser later dereferences it and crashes.
Tested version
Repository: EpicGames/raddebugger
Commit/version tested: eb87cb0
Tool: radbin
Platform: x86_64 Linux
Reproduction
./radbin tc6_pdb_null_deref_unknown_version.pdb --out:/tmp/out.rdi
Observed result
Plain build:
Segmentation fault
ASan build:
SEGV in pdb_info_from_data
#0 pdb_info_from_data src/pdb/pdb_parse.c:108
#1 p2r_convert src/rdi_from_pdb/rdi_from_pdb.c:449
The ASan trace also shows the crash occurring during a memcpy-like access from the invalid/unset source pointer.
Root cause
The PDB info parser appears to initialize an internal auth_guid pointer only for recognized PDB info versions. When the input uses an unknown but otherwise parseable version and includes fields that cause the parser to continue, auth_guid remains null/unset. Later code dereferences it while assigning or copying the GUID into the parsed result.
Conceptually, the parser should reject unknown PDB info versions before using version-dependent fields, or check that auth_guid is non-null before dereferencing it.
Impact
A malformed PDB file can crash radbin during conversion. I am not claiming code execution; the demonstrated impact is process crash / denial of service.
Suggested fix
Reject unsupported PDB info versions early, or guard the dereference, for example:
if (auth_guid == 0) {
goto parse_done;
}
or return a parse error before copying from auth_guid.
I have a minimized PoC package and sanitizer logs available if useful.
Hello,
I found another reproducible crash in radbin while converting a malformed PDB file.
This issue is separate from the MSF page-size division-by-zero issue I reported earlier. In this case, the malformed input reaches the PDB info parser, where an unknown/non-standard PDB version leaves an internal GUID pointer unset. The parser later dereferences it and crashes.
Tested version
Repository: EpicGames/raddebugger
Commit/version tested: eb87cb0
Tool: radbin
Platform: x86_64 Linux
Reproduction
./radbin tc6_pdb_null_deref_unknown_version.pdb --out:/tmp/out.rdi
Observed result
Plain build:
Segmentation fault
ASan build:
SEGV in pdb_info_from_data
#0 pdb_info_from_data src/pdb/pdb_parse.c:108
#1 p2r_convert src/rdi_from_pdb/rdi_from_pdb.c:449
The ASan trace also shows the crash occurring during a memcpy-like access from the invalid/unset source pointer.
Root cause
The PDB info parser appears to initialize an internal auth_guid pointer only for recognized PDB info versions. When the input uses an unknown but otherwise parseable version and includes fields that cause the parser to continue, auth_guid remains null/unset. Later code dereferences it while assigning or copying the GUID into the parsed result.
Conceptually, the parser should reject unknown PDB info versions before using version-dependent fields, or check that auth_guid is non-null before dereferencing it.
Impact
A malformed PDB file can crash radbin during conversion. I am not claiming code execution; the demonstrated impact is process crash / denial of service.
Suggested fix
Reject unsupported PDB info versions early, or guard the dereference, for example:
if (auth_guid == 0) {
goto parse_done;
}
or return a parse error before copying from auth_guid.
I have a minimized PoC package and sanitizer logs available if useful.