Hello,
I found another reproducible crash in radbin while converting malformed PDB/MSF files.
This appears separate from #792. That issue was a namespace lookup divide/modulo-by-zero in rdi_from_pdb/rdi_from_pdb.c when no namespace records are present. This issue crashes earlier/differently in the PDB GSI parser, specifically in pdb_gsi_from_data(), after parsing a malformed MSF stream table / stream count.
Tested version
Repository: EpicGames/raddebugger
Commit/version tested: eb87cb0
Tool: radbin
Platform: x86_64 Linux
Reproduction
./radbin tc4_msf70_huge_stream_table.pdb --out:/tmp/out.rdi
A second variant also reaches the same crash:
./radbin tc5_msf70_huge_stream_count.pdb --out:/tmp/out.rdi
Observed result
Plain build:
Segmentation fault
ASan/UBSan build:
runtime error: applying non-zero offset to null pointer
runtime error: applying zero offset to null pointer
#0 pdb_gsi_from_data src/pdb/pdb_parse.c:468
#1 p2r_convert src/rdi_from_pdb/rdi_from_pdb.c:526
Root cause
A malformed MSF stream table / stream count can make later PDB stream parsing proceed with missing or invalid stream data. The GSI parser then dereferences or performs pointer arithmetic on invalid/null stream data while parsing global symbol information.
This is distinct from namespace-table lookup issues: the crash occurs in pdb_gsi_from_data() while handling malformed stream data, not during namespace hash table lookup.
Impact
A malformed PDB/MSF file can crash radbin during conversion. I am not claiming code execution; the demonstrated impact is process crash / denial of service.
Suggested fix
Before entering pdb_gsi_from_data(), validate that the required GSI stream exists and has a valid non-zero range. Inside pdb_gsi_from_data(), reject null or too-short input before performing pointer arithmetic or reading GSI headers.
I have minimized PoCs and sanitizer logs available if useful.
Hello,
I found another reproducible crash in radbin while converting malformed PDB/MSF files.
This appears separate from #792. That issue was a namespace lookup divide/modulo-by-zero in rdi_from_pdb/rdi_from_pdb.c when no namespace records are present. This issue crashes earlier/differently in the PDB GSI parser, specifically in pdb_gsi_from_data(), after parsing a malformed MSF stream table / stream count.
Tested version
Repository: EpicGames/raddebugger
Commit/version tested: eb87cb0
Tool: radbin
Platform: x86_64 Linux
Reproduction
./radbin tc4_msf70_huge_stream_table.pdb --out:/tmp/out.rdi
A second variant also reaches the same crash:
./radbin tc5_msf70_huge_stream_count.pdb --out:/tmp/out.rdi
Observed result
Plain build:
Segmentation fault
ASan/UBSan build:
runtime error: applying non-zero offset to null pointer
runtime error: applying zero offset to null pointer
#0 pdb_gsi_from_data src/pdb/pdb_parse.c:468
#1 p2r_convert src/rdi_from_pdb/rdi_from_pdb.c:526
Root cause
A malformed MSF stream table / stream count can make later PDB stream parsing proceed with missing or invalid stream data. The GSI parser then dereferences or performs pointer arithmetic on invalid/null stream data while parsing global symbol information.
This is distinct from namespace-table lookup issues: the crash occurs in pdb_gsi_from_data() while handling malformed stream data, not during namespace hash table lookup.
Impact
A malformed PDB/MSF file can crash radbin during conversion. I am not claiming code execution; the demonstrated impact is process crash / denial of service.
Suggested fix
Before entering pdb_gsi_from_data(), validate that the required GSI stream exists and has a valid non-zero range. Inside pdb_gsi_from_data(), reject null or too-short input before performing pointer arithmetic or reading GSI headers.
I have minimized PoCs and sanitizer logs available if useful.