radare2

Authors

0xf00sec AGhebrea Abhi Adam LaPoint Adam Satko Ahmethan G. Claude Jake Lamberson Ole André Vadla Ravnås Quentin Buathier awlapoint-afk buzzer-re condret jro-calif jwntree pancake pancake pancake phix33 potato

Changes

analysis

• Use dash for callargs modifier and support rnum expressions
• Rework aCe/aCf to support plaintext, JSON and r2 output modes
• Improve scoring strategy for the function autoname
• Fix arm64 jmptbl detection for multi-LEA dispatchers
• Fix leak, dead branch and int overflow in jmptbl code
• Fix some possible command injection analysis scripts
• Fix afv* for afvr variants
• Extend RAnalPlugin to hook preanalysis commands if elligible
• Add r_anal_xrefs_setf to avoid fcn lookups for a 3% speedup
• Better conditional return instructions support (z80, arm, nds32)
• Remove redundant zeroing in RAnalOp.init
• Refactor autoname into analysis plugin (a:autoname)
• Performance improvements in arch and analysis
• Add RAnalPlugin.thumb to scan code for mode-switch hints
• Resolve PPC64 ELFv1 TOC-relative address chains in
• Add more binary magic signatures to is_bin() in data
• Remove r_anal_archinfo in favor of r_arch_info
• Use R_ANAL_DATA_TYPE_ZERO for zero-filled data instead of INVALID
• Implement wide string length measurement in is_string()
• Import the C rewrite of the gopcintab plugin by @asherdll
• Materialize switch cases through core analysis
• Expose typed function context with params, stack slots, and base types

arch

• Fix a bunch of logic bugs for v850 esil
• Improve pseudo for nds32
• Refactor the nds32 esil cooker from O(n) to O(1)
• Support inline function calls for NDS32 via ESIL
• Cache capstone options in x86/arm/mips arch plugins
• Improve ESIL for v850
• Fix satsub disasm text for v850
• Refactor nds32 ESIL argument handling for O(1) access and safer parsing
• Extend nds32 optype and esil support
• Use encoder fallback in arch session encode

asm

• Initial generic support for camel syntax
• Use the RArch api from RAsm instead of the anal callbacks

bin

• Fix a couple of boundary checks causing minor oobreads in the dmp parser
• Fix logic bugs, cleanup and simplify the PDB parser
• Fix memory leaks, endian issues and major cleanup for WAD
• Fix logic bugs, memory leaks and cleanup in the OMF parser
• Fix logic bugs, memory leaks and cleanup in the mach0 parsers
• Fix logic bugs, type mismatches and missing bounds checks in the ELF parser
• Cleanup and fix logic bugs in the DEX parser
• Fix memleak, off-by-one and unchecked init failure in the XCOFF64 parser
• Fix wrong type and unchecked read in PE section parsing
• Fix UB reads in the XBE parser
• Fix OOB loops in resize_section, del_rpath and segment_perms for elfwrite
• Segment permission patching for mach0s
• Implement rabin2-OP to patch segment permissions (Op is for sections)
• Improve elf write via rabin2 -O to patch segment permissions
• Use API (instead of cmd) and check for double redirects for bclass
• Add support for nds32 elf relocs
• Limit Swift demangler substring appends to 255 bytes
• Improve special hint symbols for ARM (elf/macho)
• Support more v850 relocs
• Extend Swift demangler with more abbreviation tables and conforms
• Improve class name extraction from demangled Swift symbols
• Fix ppc64be imports, symbols and entrypoint addresses
• Fix #25715 - wrong string vaddrs in kernelcache plugin for fat Mach-O binaries
• Entorce bclass sanitize right before use in core
• Fix #25707 - slow iOS kernelcache loading by bulk-reading into memory
• Fix memory leaks and unnecessary checks for dyldcache
• Fix memory leaks in the DEX parser
• Fix memory leaks in the PE parser
• Fix ELF versioninfo bounds and dynstr guards
• Fix clear deinits, memleaks and a heap overflow in mach0
• JNI_* symbols must be listed as entry-symbols via ies
• Autoload JNI types when loading
• Fix #24453 - Remove fixed flagName size
• Fix mdmp loop count underflow in bounds check
• Maxbound strings to 512 chars
• Clean up PE delay import parsing
• Fix PE delay import directory parsing
• Fix bin.limit consistency in Mach-O and .NET
• Fix memory leak when using RBinLimit with DEX
• Respect RBinLimit for PE too
• Respect RBinLimit in DEX
• Make bin.limit consistent across bin listings
• Respect RBinLimit when preallocating arrays in ELF and MACHO

build

• Install to lib64 on Fedora/RHEL/SUSE
• Fix quarantine related build error with scmangle
• Fix compilation in illumos

ci

• Add github actions for radare2
• Compile with FilC and ship the artifacts

cons

• Fix tv_usec overflow in r_cons_readchar_timeout for msec >= 1000
• Fix OOB write and underflow in winutils __fill_tail
• Fix overlapping strncpy in dietline kill-to-start handlers
• Fix cursor restore and OOB read in w32 xterm size probe
• Fix width clipping arithmetic in r_cons_print_at
• Fix rainbow buffer realloc and zero-size handling in r_cons_rainbow_new
• Shorter codepath for color2rgb
• Performance improvements in grep, dietline and canvas
• Fix parsing bold ansi colors to html

core

• Rename RCore.cmdCall to RCore.call
• Clarify cfg.sandbox.grain help text
• Fix endianness handling in cmd_write_inc
• Fix @@c parsing regression in @dp/@dr handling
• Rename R_CORE_LOADLIBS_ALL to R_LIB_LOAD_ALL
• Introduce R2_PLUGINS_ORDER to specify locations

crash

• Fix UAF when loading the same r2js script twice
• Fix some more integer overflows in NSO TE PE NE
• Extra check for boundary checks in the kernelcache
• Fix partial read bug in truncated kernelcache files
• Fix some integer overflows causing undersized allocations resulting in oobwrites
• Fix ubread in io.maps=bin.sections
• Fix invalied underflow state in the rbtree
• Fix integer underflow in the wfs command
• Fix overflowed array index in the rap server
• Avoid reading tainted phnum in ELF and cache a valid one once
• Harden winkd packet parsing against malformed KD/KDNet input
• Harden PDB parser against malformed TPI/DBI streams
• Fix multiple OOB reads and overflows in PDB parser
• Fix infinite loop and uninitialized free in PDB DBI module parser
• Fix r2 script injection via DWARF filenames in idL* output
• Fix oobread bug in r2k-linux and major cleanup
• Fix several oobread/oobwrite issues in shlr/gdb
• Fix several oobread/oobwrite issues in shlr/qnx
• Fix #25786 - heap buffer overflow in qnxr_read_memory
• Fix nds32_init_args crash + other side bugs spotted in the process
• Fix null deref in r_flag_tags_list when sdb is corrupted
• Refactor MSVC RTTI name reader and fix unchecked read loop
• Fix non-null terminated and zerosize file slurp bugs
• Fix OOB write and underflow in winutils __fill_tail
• Fix double-free and silence OOB warnings in r_cons_canvas_resize
• Fix OOB pointer arithmetic in regex p_bracket lookahead
• RFile.new can now take null as root without crashing
• Fix use-after-free and silent truncation in lines cache init
• Fix uaf in the elf parser
• Fix buffer overflows in xtensa disassembler
• Fix buffer overflows in tms320 disassembler
• Fix buffer overflow in m68k disassembler
• Fix buffer overflows in cris disassembler
• Fix buffer overflows in arc disassembler
• Limit ASN.1 hex string expansion to prevent memory exhaustion
• Fix GNS1 segment bounds checks to avoid overflow
• Avoid copying partial or overflowed ansi codes in rcons
• Fix uaf in r_asm_from_string
• Fix buffer overflow in dietline gcomp_line copy operations
• Use r_config_set API instead of r_core_cmdf for anal.cc
• Fix heap-buffer-overflow in macho parse_import_stub
• Fix OOM in mdmp parser due to unsigned underflow in safe_loop_count
• Fix integer overflow in parse_symbol_table() (CID 1646630)
• Fix integer overflow in parse_symbol_table
• Fix memleaks and heap-overflow in ELF parser for duplicate sections
• Fix heap overflow in egglang using 4096 variables
• Remove dead code, off by one and a null check in the esil analisis loop
• Harden SOM string-table bounds checks
• Fix r_str_wrap allocation sizing
• Fix #25650 - Command injection in curl PDB download
• Fix oobread bugs in the dotnet header parser
• Fix SSL crash in r_socket_connect: goto success instead of return true
• Fix #25636 - Oobwrite in the xtr.sep64 parser
• Fix webserver uaf based on @as0ler PR
• Fix pd-- heap overflow on long offsets
• Fix checkpoint snapshot ownership double free
• Fix seven charset decode buffer overflow
• Fix .hex directive odd-length parsing overflow
• Validate .cfloat bit sizes to prevent negative byte lengths
• Initialize command autocompletion before loading plugins

debug

• ptracewrap error handling and lock fixes
• Implement hardware breakpoints for winkd
• Implement single stepping and wait reasons for winkd
• Cleanup gdb responses, dedup death/thread parsing, remove dead code
• Add branchable debug session checkpoints
• Fix memory leaks, reduce LOCs and cleanup r_bp
• Add @p:PID and the @dr:/@dp: aliases for temporal attach

disasm

• Cache flag lookups in ds_print_ptr to avoid redundant calls

flags

• Fix lower zone tracking in r_flag_zone_around
• Preserve rawname and demangled in flag clones
• Fix flag zone list format strings

fs

• Fix memory leak in the zip filesystem
• Fix kvloc bounds validation and cleanup APFS btree parsing

http

• Webserver stop bug fixes

io

• Check allocation and insert in io_treebuf __write fallback
• Fix leak, drop dead code and bool return in io_xattr
• Guard io_dsc rebase loop against non-8-aligned count
• Fix io_r2web read to copy decoded byte count
• Fix io_sparse partial read propagation and RBuffer leak
• Fix r2pipe write return value and NULL-deref on read
• Format uf2:// and add a couple of new device families

magic

• Bring back the magic file baked apis + perf improvements
• Add buffer-baked functions in r_magic

panels

• Add Analysis.Plugins submenu and menuitem description
• Add filesystem manager, fs and js shells into
• Automatic scrolling and paning out of screen menubars

print

• Fix pp2/pp4/pp8 endian issues
• Honor cfg.bigendian in pp2, pp4 and pp8 commands
• Fix CSV escaping in RTable as for rfc4180
• Implement r_print_code_indent for C-like code indentation via ~:}
• Add pdub and pdur (until eob and until ret) commands

projects

• Cleanup project code and check for missing file on load
• Optional absolute file paths
• Show in Pi if those are new format
• Add json and show filepath, timestamp info in Pi
• Rename prj.alwasyprompt to prj.prompt

pseudo

• Initial support for while statements in pdc
• Fix pdca/pdco output with synthethic helpers
• Smarter switch labels, inline returns and label suppression in pdc
• Improve synthetic return statements to reduce gotos
• Initial support for switch statements in pdc

r2pm

• Fix ldpath handling on Termux

r2r

• Fix r2r subprocess teardown vector invalidation

sandbox

• Add network granularity for localhost/network

search

• Use r_str_trim_head_ro() in keyword search
• All search ref commands accept multiple targets now

security

• Fix logic bug spotted by codex security related to traversal path sandbox bypass
• Set restrictive umask around mkstemp in r_file_mkstemp
• Sanitize all the analysis hints for newlines
• Faster meta dumping with less boilerplate using quote commands
• Fix some more theorical shell injection vulns in projects
• Fix command injection in debug, type, mount and cbin commands
• Properly use and escape shell formatting system calls
• Improve r_str_escape_sh for Windows
• Fix command injection bugs in visual menus for flags and types
• Fix command injection when interactively setting flags in visual
• Fix command injection when changing register value in panels
• Fix command injection in cmd_open
• Fix two command injection bugs in t subcommands
• Fix command injection disasm.c via format binds
• Fix command injection vulns in aaF
• Fix command injection in idp command
• Fix command injection bugs in f commands
• Fix a command injection bug in cmd_print
• Fix command injection in abe command and add r_core_callf_at
• Sanitize zignature script output
• Fix command injection via graph node title
• Fix #25752 - Another command injection caused by the bad previous fix
• Reuse and improve the string sanity apis
• Reuse and improve the string sanity apis
• Be super picky about the sand grains
• Harden r_str_sanitize_r2 a little bit more
• Fix #25730 - command injection in pdb loading realnames
• Fix #25708 - command injection vulnerability via RBinInfo.bfile
• Sanitize bclass read from binary data in smd, io and pebble plugins

shell

• Implement -E command, it was already documented
• Add dot-quote commands support
• Fix a crash and gracefully handle ob*?
• Fix support for trailing space and newlines in scr.prompt.format
• Numeric and boolean config vars show description when set to '?'
• Better commandline handling of invalid r2pm flags
• Remove Cz metadata alias (Use Csz instead)

socket

• Fallback to curl when r2 is built without ssl and tries to https

tests

• Improve jq-r2r-js script for better testsuite profiling results
• Log interrupted tests when r2r is killed
• Fix r2r errors when r2/rasm2 not in path
• Various fixes for r2r, memleaks, wrong timeouts and counters

types

• Detect JNI_ symbols in utype function guessing

util

• Add and use R_INBETWEEN macro to handle ranges in ranges
• Honor short reads in get_whole_buf and r_buf_tostring
• Fix #12007 - Use RVec for RLog callbacks
• Improve the XML DOM parser
• Base64 decode now have "strict" option
• Add thead/th header row to r_table_tohtml output
• Validate underscore placement in hex literals
• Add r_json_parsedup that owns and frees the input string
• Optimize r_str_last() to search from end of string

utils

• Base64 decode now have "strict" option

visual

• Cleanup panels, fix UAF and leaks, dedup code, add helpers
• Fix key hints for push common on windows binaries

vulnerability

• Also sanitize newlines, solving some command injection bugs