Fix potential buffer over-read in getTagAsString

xiaoyinl · xiaoyinl · commit 055d6b533486 · 2019-11-08T19:57:41.000+08:00
If `tag` equals `_countof(SYMBOL_TAG_STRINGS)`, then this function
will read one element beyond the boundary of SYMBOL_TAG_STRINGS array.
diff --git a/Ghidra/Features/PDB/src/pdb/cpp/symbol.cpp b/Ghidra/Features/PDB/src/pdb/cpp/symbol.cpp
@@ -239,7 +239,7 @@ DWORD getTag(IDiaSymbol& symbol) {
 
 std::wstring getTagAsString(IDiaSymbol& symbol) {
 	const DWORD tag = getTag(symbol);
-	if (tag > _countof(SYMBOL_TAG_STRINGS))	{
+	if (tag > _countof(SYMBOL_TAG_STRINGS) - 1)	{
 		return L"";
 	}
 	return SYMBOL_TAG_STRINGS[tag];

Original file line number	Diff line number	Diff line change
`@@ -239,7 +239,7 @@ DWORD getTag(IDiaSymbol& symbol) {`
`239`	`239`
`240`	`240`	`std::wstring getTagAsString(IDiaSymbol& symbol) {`
`241`	`241`	`const DWORD tag = getTag(symbol);`
`242`		`- if (tag > _countof(SYMBOL_TAG_STRINGS)) {`
	`242`	`+ if (tag > _countof(SYMBOL_TAG_STRINGS) - 1) {`
`243`	`243`	`return L"";`
`244`	`244`	`}`
`245`	`245`	`return SYMBOL_TAG_STRINGS[tag];`