make webfrontend more robust

[zonkzonk]

how to reproduce

r2 -e 'public http server true' -c=H -d /bin/sh
goto convert/code

Enter -1

Block size -1 is too big
Segmentation fault

dump

gdb which r2
GNU gdb (GDB) 7.6.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/local/bin/radare2...done.
(gdb) b main
Breakpoint 1 at 0x402b83: file radare2.c, line 159.
(gdb) r -e 'public http server true' -c=H -d /bin/sh
Starting program: /usr/local/bin/r2 -e 'public http server true' -c=H -d /bin/sh
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Breakpoint 1, main (argc=6, argv=0x7fffffffeb38) at radare2.c:159
warning: Source file is more recent than executable.
159 RThreadLock *lock = NULL;
(gdb) s
160 RThread *rabin_th = NULL;
(gdb) c
Continuing.
r_config_get: variable 'public http server true' not found
Process with PID 4904 started...
PID = 4904
r_config_get: variable 'public http server true' not found
r_debug_select: 4904 4904
r_config_get: variable 'public http server true' not found
Starting http server...
http://localhost:9090/
START /usr/lib/firefox/firefox "http://localhost:9090/"

program received signal SIGSEGV, Segmentation fault.
0x00007ffff3d59bee in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6
(gdb) bt full
#0 0x00007ffff3d59bee in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6

No symbol table info available.
#1 0x00007ffff7ba7260 in r_core_yank (core=0x606900 , addr=140737351901808, len=-1) at yank.c:30

    oldbsz = 256
    curseek = 140737351901808

#2 0x00007ffff7b98e0a in cmd_yank (data=0x606900 , input=0x197bb11 " -1") at cmd.c:223

    i = 0
    n = 140737320175159
    core = 0x606900 <r>

#3 0x00007ffff5f9aeb7 in r_cmd_call (cmd=0x68cb30, input=0x197bb10 "y -1") at cmd.c:166

    c = 0x68eb80
    ret = -1
    iter = 0x0
    cp = 0x68dae0

#4 0x00007ffff7b9be14 in r_core_cmd_subst_i (core=0x606900 , cmd=0x197bb10 "y -1") at cmd.c:1214

    quotestr = 0x7ffff7bcd678 "`"
    tick = 0x0
    ptr = 0x0
    ptr2 = 0x0
    str = 0x0
    arroba = 0x0
    i = 32767
    ret = -8624
    pipefd = -8480
    usemyblock = 0

#5 0x00007ffff7b9a73b in r_core_cmd_subst (core=0x606900 , cmd=0x197bb10 "y -1") at cmd.c:798

    ret = 32767
    rep = 0
    cmt = 0x0
    colon = 0x0
    icmd = 0x197bb10 "y -1"

#6 0x00007ffff7b9cdc5 in r_core_cmd_str_pipe (core=0x606900 , cmd=0x1979265 "y -1") at cmd.c:1522

    _cmd = 0x197c020 "y -1"
    pipefd = 56
    s = 0x197926b ""
    tmp = 0x19818a0 "/tmp/cmdqo3UZl"

#7 0x00007ffff7bae5a1 in r_core_rtr_http (core=0x606900 , launch=1, path=0x191f9b2 "") at rtr.c:189

    out = 0x19818a0 "/tmp/cmdqo3UZl"
    cmd = 0x1979265 "y -1"
    cmd = 0x1979265 "y -1"

    foo = "Location: /enyo/\n\000calhost:9090/ "
    httpcmd = 0x6bfef0 ""
    buf = "\320\337\377\377\377\177\000\000

\300\337\377\377\377\177\000\000\325\016D
224\000\000\000\000\220̶\367\377\177\000"
rs = 0x197bad0
iport = 0
oldsandbox = -1
timeout = 3
x = 0
y = 1
z = 1
u = 1
v = 0
port = 0x6bfa80 "9090"
allow = 0x6bf600 ""
#8 0x00007ffff7b98cc4 in cmd_rap (data=0x606900 , input=0x191f9b1 "H") at cmd.c:204

    core = 0x606900 <r>

#9 0x00007ffff5f9aeb7 in r_cmd_call (cmd=0x68cb30, input=0x191f9b0 "=H") at cmd.c:166

    c = 0x68eec0
    ret = -1
    iter = 0x0
    cp = 0x68dae0

#10 0x00007ffff7b9be14 in r_core_cmd_subst_i (core=0x606900 , cmd=0x191f9b0 "=H") at cmd.c:1214

    quotestr = 0x7ffff7bcd678 "`"
    tick = 0x0
    ptr = 0x0
    ptr2 = 0x6bd1a0 "(\023"
    str = 0x0
    arroba = 0x0
    i = 32767
    ret = -6560
    pipefd = 4112
    usemyblock = 0

#11 0x00007ffff7b9a73b in r_core_cmd_subst (core=0x606900 , cmd=0x191f9b0 "=H") at cmd.c:798

    ret = 0
    rep = 0
    cmt = 0x0
    colon = 0x0
    icmd = 0x191f9b0 "=H"

---Type to continue, or q to quit---
#12 0x00007ffff7b9c77c in r_core_cmd (core=0x606900 , cstr=0x7fffffffedb3 "=H", log=0) at cmd.c:1383

    cmd = 0x1975220 "=H"
    ocmd = 0x1975220 "=H"
    ptr = 0x0
    rcmd = 0x1975220 "=H"
    ret = 0

#13 0x00007ffff7b9cce3 in r_core_cmd0 (user=0x606900 , cmd=0x7fffffffedb3 "=H") at cmd.c:1503

No locals.
#14 0x000000000040440a in main (argc=6, argv=0x7fffffffeb38) at radare2.c:550

    lock = 0x0
    rabin_th = 0x0
    iter = 0x6d95c0
    cmdn = 0x7fffffffedb3 "=H"
    fh = 0x6bd1d0
    patchfile = 0x0
    prj = 0x0
    has_project = 0
    ret = 32767
    i = 0
    c = -1
    perms = 6
    do_connect = 0
    do_analysis = 0
    run_anal = 1
    run_rc = 1
    help = 0
    debug = 1
    fullfile = 0
    baddr = 0
    seek = 18446744073709551615
    pfile = 0x6d9be0 "dbg:///bin/sh"
    file = 0x6d9be0 "dbg:///bin/sh"
    cmdfile = {0x0, 0x7ffff7fccad0 "\350\343\377\367\377\177", 0x7fffffffe958 "\377\377\377\377\377\177",
      0x7ffff7de5b6c <check_match.9447+300> "\205\300t\212\351r\377\377\377<\006\017\204\345\376\377\377\061\300\220\353\320I\213|$\020H\205\377\017\204j\377\377\377\350{m", 0x1 <Address 0x1 out of bounds>, 0x6562b026 <Address 0x6562b026 out of bounds>, 0x0, 0x1 <Address 0x1 out of bounds>,
      0x7ffff7ffe6f0 "\310\346\377\367\377\177",
      0x7ffff7de6360 <do_lookup_x+1952> "H\205\300L\213L$\bL\213D$\030L\213\\$(t\244\351\371\371\377\377L\213T$X1\300A\017\266\nH\205\311\017\204\213", 0x7fff00000001 <Address 0x7fff00000001 out of bounds>, 0x7fffffffe870 "", 0x7ffff7ffa160 "", 0x7ffff7ffa1d8 "6", 0x7fffffffe980 "\020\200f",
      0x7fffffffe970 "\001", 0x0,
      0x7ffff7de5b6c <check_match.9447+300> "\205\300t\212\351r\377\377\377<\006\017\204\345\376\377\377\061\300\220\353\320I\213|$\020H\205\377\017\204j\377\377\377\350{m", 0x0, 0xf63d4e2e <Address 0xf63d4e2e out of bounds>, 0x1d <Address 0x1d out of bounds>, 0x21 <Address 0x21 out of bounds>,
      0x7ffff7fccee0 "0\341\377\367\377\177",
      0x7ffff7de64de <do_lookup_x+2334> "H\205\300L\213L$\bL\213D$(L\213\\$0\017\205|\370\377\377H\213T$\030H\213t$\020\213\n\351y\377\377\377H\215\r\236\f\001", 0x0, 0x7fffffffe8e0 "\210R@", 0x7ffff3cced28 "", 0x7ffff3cdb1a8 "2(", 0x7fffffffe9f0 "\377\377\377\377\377\377\377\377",
      0x3d8f538 <Address 0x3d8f538 out of bounds>, 0x7fffffffe9e0 "\340\233m", 0x7ffff7ffe6c8 ""}
    debugbackend = 0x404f7b "native"
    asmarch = 0x0
    asmos = 0x0
    asmbits = 0x0
    mapaddr = 0
    quiet = 0
    is_gdb = 0
    cmds = 0x668010
    evals = 0x668030
    cmdfilei = 0

(gdb) bt
#0 0x00007ffff3d59bee in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6
#1 0x00007ffff7ba7260 in r_core_yank (core=0x606900 , addr=140737351901808, len=-1) at yank.c:30
#2 0x00007ffff7b98e0a in cmd_yank (data=0x606900 , input=0x197bb11 " -1") at cmd.c:223
#3 0x00007ffff5f9aeb7 in r_cmd_call (cmd=0x68cb30, input=0x197bb10 "y -1") at cmd.c:166
#4 0x00007ffff7b9be14 in r_core_cmd_subst_i (core=0x606900 , cmd=0x197bb10 "y -1") at cmd.c:1214
#5 0x00007ffff7b9a73b in r_core_cmd_subst (core=0x606900 , cmd=0x197bb10 "y -1") at cmd.c:798
#6 0x00007ffff7b9cdc5 in r_core_cmd_str_pipe (core=0x606900 , cmd=0x1979265 "y -1") at cmd.c:1522
#7 0x00007ffff7bae5a1 in r_core_rtr_http (core=0x606900 , launch=1, path=0x191f9b2 "") at rtr.c:189
#8 0x00007ffff7b98cc4 in cmd_rap (data=0x606900 , input=0x191f9b1 "H") at cmd.c:204
#9 0x00007ffff5f9aeb7 in r_cmd_call (cmd=0x68cb30, input=0x191f9b0 "=H") at cmd.c:166
#10 0x00007ffff7b9be14 in r_core_cmd_subst_i (core=0x606900 , cmd=0x191f9b0 "=H") at cmd.c:1214
#11 0x00007ffff7b9a73b in r_core_cmd_subst (core=0x606900 , cmd=0x191f9b0 "=H") at cmd.c:798
#12 0x00007ffff7b9c77c in r_core_cmd (core=0x606900 , cstr=0x7fffffffedb3 "=H", log=0) at cmd.c:1383
#13 0x00007ffff7b9cce3 in r_core_cmd0 (user=0x606900 , cmd=0x7fffffffedb3 "=H") at cmd.c:1503
#14 0x000000000040440a in main (argc=6, argv=0x7fffffffeb38) at radare2.c:550

(gdb) i f
Stack level 0, frame at 0x7fffffffd8a0:
rip = 0x7ffff3d59bee in __memcpy_sse2_unaligned; saved rip 0x7ffff7ba7260
called by frame at 0x7fffffffd8e0
Arglist at 0x7fffffffd890, args:
Locals at 0x7fffffffd890, Previous frame's sp is 0x7fffffffd8a0
Saved registers:
rip at 0x7fffffffd898
(gdb) i r
rax 0xfffffffffffffff0 -16
rbx 0x19791d0 26710480
rcx 0x0 0
rdx 0xffffffffffffffff -1
rsi 0x1981ee0 26746592
rdi 0x0 0
rbp 0x7fffffffd8d0 0x7fffffffd8d0
rsp 0x7fffffffd898 0x7fffffffd898
r8 0x1 1
r9 0xfffffffffffffff 1152921504606846975
r10 0x7fffffffd660 140737488344672
r11 0x7ffff3d59a70 140737284250224
r12 0x4026a0 4204192
r13 0x7fffffffeb30 140737488350000
r14 0x0 0
r15 0x0 0
rip 0x7ffff3d59bee 0x7ffff3d59bee <__memcpy_sse2_unaligned+382>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

(gdb) !r2 -v
radare2 0.9.5git @ linux-little-x86-64 git.0.9.4-584-g3b95036
commit: 3b95036 build: 2013-11-06

[radare]

The bug have nothing to do with the webserver or debugger.

The crash happens when yanking negative length of bytes. 'y -1' . I will fix that bug later when i have time to use the laptop.

Also. The -e flag is wrongly used.

"Public http servwr true" is nothing parseable by rconfig.. The flag you need is: -e http.public=true

Thanks for reporting. I will release today, and we will hopefully not find much more crashes like that :)

On 10 Nov 2013, at 20:32, zonkzonk [email protected] wrote:

how to reproduce

r2 -e 'public http server true' -c=H -d /bin/sh
goto convert/code

Enter -1

Block size -1 is too big
Segmentation fault

dump

gdb which r2

GNU gdb (GDB) 7.6.1
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/...
Reading symbols from /usr/local/bin/radare2...done.
(gdb) b main
Breakpoint 1 at 0x402b83: file radare2.c, line 159.
(gdb) r -e 'public http server true' -c=H -d /bin/sh
Starting program: /usr/local/bin/r2 -e 'public http server true' -c=H -d /bin/sh
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".

Breakpoint 1, main (argc=6, argv=0x7fffffffeb38) at radare2.c:159
warning: Source file is more recent than executable.
159 RThreadLock *lock = NULL;
(gdb) s
160 RThread *rabin_th = NULL;
(gdb) c
Continuing.
r_config_get: variable 'public http server true' not found
Process with PID 4904 started...
PID = 4904
r_config_get: variable 'public http server true' not found
r_debug_select: 4904 4904
r_config_get: variable 'public http server true' not found
Starting http server...
http://localhost:9090/
START /usr/lib/firefox/firefox "http://localhost:9090/"

(process:4988): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed

program received signal SIGSEGV, Segmentation fault.
0x00007ffff3d59bee in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6
(gdb) bt full
#0 0x00007ffff3d59bee in __memcpy_sse2_unaligned () from /usr/lib/libc.so.6
No symbol table info available.
#1 0x00007ffff7ba7260 in r_core_yank (core=0x606900 , addr=140737351901808, len=-1) at yank.c:30
oldbsz = 256
curseek = 140737351901808
#2 0x00007ffff7b98e0a in cmd_yank (data=0x606900 , input=0x197bb11 " -1") at cmd.c:223
i = 0
n = 140737320175159
core = 0x606900
#3 0x00007ffff5f9aeb7 in r_cmd_call (cmd=0x68cb30, input=0x197bb10 "y -1") at cmd.c:166
c = 0x68eb80
ret = -1
iter = 0x0
cp = 0x68dae0
#4 0x00007ffff7b9be14 in r_core_cmd_subst_i (core=0x606900 , cmd=0x197bb10 "y -1") at cmd.c:1214
quotestr = 0x7ffff7bcd678 "`"
tick = 0x0
ptr = 0x0
ptr2 = 0x0
str = 0x0
arroba = 0x0
i = 32767
ret = -8624
pipefd = -8480
usemyblock = 0
#5 0x00007ffff7b9a73b in r_core_cmd_subst (core=0x606900 , cmd=0x197bb10 "y -1") at cmd.c:798
ret = 32767
rep = 0
cmt = 0x0
colon = 0x0
icmd = 0x197bb10 "y -1"
#6 0x00007ffff7b9cdc5 in r_core_cmd_str_pipe (core=0x606900 , cmd=0x1979265 "y -1") at cmd.c:1522
cmd = 0x197c020 "y -1"
pipefd = 56
s = 0x197926b ""
tmp = 0x19818a0 "/tmp/cmdqo3UZl"
#7 0x00007ffff7bae5a1 in rcore_rtr_http (core=0x606900 , launch=1, path=0x191f9b2 "") at rtr.c:189
out = 0x19818a0 "/tmp/cmdqo3UZl"
cmd = 0x1979265 "y -1"
cmd = 0x1979265 "y -1"

foo = "Location: /enyo/\n\000calhost:9090/ "
httpcmd = 0x6bfef0 ""
buf = "\320\337\377\377\377\177\000\000\300\337\377\377\377\177\000\000\325\016D\224\000\000\000\000\220̶\367\377\177\000"
rs = 0x197bad0
iport = 0
oldsandbox = -1
timeout = 3
x = 0
y = 1
z = 1
u = 1
v = 0
port = 0x6bfa80 "9090"
allow = 0x6bf600 ""

#8 0x00007ffff7b98cc4 in cmd_rap (data=0x606900 , input=0x191f9b1 "H") at cmd.c:204
core = 0x606900
#9 0x00007ffff5f9aeb7 in r_cmd_call (cmd=0x68cb30, input=0x191f9b0 "=H") at cmd.c:166
c = 0x68eec0
ret = -1
iter = 0x0
cp = 0x68dae0
#10 0x00007ffff7b9be14 in r_core_cmd_subst_i (core=0x606900 , cmd=0x191f9b0 "=H") at cmd.c:1214
quotestr = 0x7ffff7bcd678 "`"
tick = 0x0
ptr = 0x0
ptr2 = 0x6bd1a0 "(\023"
str = 0x0
arroba = 0x0
i = 32767
ret = -6560
pipefd = 4112
usemyblock = 0
#11 0x00007ffff7b9a73b in r_core_cmd_subst (core=0x606900 , cmd=0x191f9b0 "=H") at cmd.c:798
ret = 0
rep = 0
cmt = 0x0
colon = 0x0
icmd = 0x191f9b0 "=H"
---Type to continue, or q to quit---
#12 0x00007ffff7b9c77c in r_core_cmd (core=0x606900 , cstr=0x7fffffffedb3 "=H", log=0) at cmd.c:1383
cmd = 0x1975220 "=H"
ocmd = 0x1975220 "=H"
ptr = 0x0
rcmd = 0x1975220 "=H"
ret = 0
#13 0x00007ffff7b9cce3 in r_core_cmd0 (user=0x606900 , cmd=0x7fffffffedb3 "=H") at cmd.c:1503
No locals.
#14 0x000000000040440a in main (argc=6, argv=0x7fffffffeb38) at radare2.c:550
lock = 0x0
rabin_th = 0x0
iter = 0x6d95c0
cmdn = 0x7fffffffedb3 "=H"
fh = 0x6bd1d0
patchfile = 0x0
prj = 0x0
has_project = 0
ret = 32767
i = 0
c = -1
perms = 6
do_connect = 0
do_analysis = 0
run_anal = 1
run_rc = 1
help = 0
debug = 1
fullfile = 0
baddr = 0
seek = 18446744073709551615
pfile = 0x6d9be0 "dbg:///bin/sh"
file = 0x6d9be0 "dbg:///bin/sh"
cmdfile = {0x0, 0x7ffff7fccad0 "\350\343\377\367\377\177", 0x7fffffffe958 "\377\377\377\377\377\177",
0x7ffff7de5b6c "\205\300t\212\351r\377\377\377<\006\017\204\345\376\377\377\061\300\220\353\320I\213|$\020H\205\377\017\204j\377\377\377\350{m", 0x1 , 0x6562b026 , 0x0, 0x1 ,
0x7ffff7ffe6f0 "\310\346\377\367\377\177",
0x7ffff7de6360 "H\205\300L\213L$\bL\213D$\030L\213$(t\244\351\371\371\377\377L\213T$X1\300A\017\266\nH\205\311\017\204\213", 0x7fff00000001 , 0x7fffffffe870 "", 0x7ffff7ffa160 "", 0x7ffff7ffa1d8 "6", 0x7fffffffe980 "\020\200f",
0x7fffffffe970 "\001", 0x0,
0x7ffff7de5b6c "\205\300t\212\351r\377\377\377<\006\017\204\345\376\377\377\061\300\220\353\320I\213|$\020H\205\377\017\204j\377\377\377\350{m", 0x0, 0xf63d4e2e , 0x1d , 0x21 ,
0x7ffff7fccee0 "0\341\377\367\377\177",
0x7ffff7de64de "H\205\300L\213L$\bL\213D$(L\213$0\017\205|\370\377\377H\213T$\030H\213t$\020\213\n\351y\377\377\377H\215\r\236\f\001", 0x0, 0x7fffffffe8e0 "\210R@", 0x7ffff3cced28 "", 0x7ffff3cdb1a8 "2(", 0x7fffffffe9f0 "\377\377\377\377\377\377\377\377",
0x3d8f538 , 0x7fffffffe9e0 "\340\233m", 0x7ffff7ffe6c8 ""}
debugbackend = 0x404f7b "native"
asmarch = 0x0
asmos = 0x0
asmbits = 0x0
mapaddr = 0
quiet = 0
is_gdb = 0
cmds = 0x668010
evals = 0x668030
cmdfilei = 0

(gdb) bt
#0 0x00007ffff3d59bee in memcpy_sse2_unaligned () from /usr/lib/libc.so.6
#1 0x00007ffff7ba7260 in r_core_yank (core=0x606900 , addr=140737351901808, len=-1) at yank.c:30
#2 0x00007ffff7b98e0a in cmd_yank (data=0x606900 , input=0x197bb11 " -1") at cmd.c:223
#3 0x00007ffff5f9aeb7 in r_cmd_call (cmd=0x68cb30, input=0x197bb10 "y -1") at cmd.c:166
#4 0x00007ffff7b9be14 in r_core_cmd_subst_i (core=0x606900 , cmd=0x197bb10 "y -1") at cmd.c:1214
#5 0x00007ffff7b9a73b in r_core_cmd_subst (core=0x606900 , cmd=0x197bb10 "y -1") at cmd.c:798
#6 0x00007ffff7b9cdc5 in r_core_cmd_str_pipe (core=0x606900 , cmd=0x1979265 "y -1") at cmd.c:1522
#7 0x00007ffff7bae5a1 in r_core_rtr_http (core=0x606900 , launch=1, path=0x191f9b2 "") at rtr.c:189
#8 0x00007ffff7b98cc4 in cmd_rap (data=0x606900 , input=0x191f9b1 "H") at cmd.c:204
#9 0x00007ffff5f9aeb7 in r_cmd_call (cmd=0x68cb30, input=0x191f9b0 "=H") at cmd.c:166
#10 0x00007ffff7b9be14 in r_core_cmd_subst_i (core=0x606900 , cmd=0x191f9b0 "=H") at cmd.c:1214
#11 0x00007ffff7b9a73b in r_core_cmd_subst (core=0x606900 , cmd=0x191f9b0 "=H") at cmd.c:798
#12 0x00007ffff7b9c77c in r_core_cmd (core=0x606900 , cstr=0x7fffffffedb3 "=H", log=0) at cmd.c:1383
#13 0x00007ffff7b9cce3 in r_core_cmd0 (user=0x606900 , cmd=0x7fffffffedb3 "=H") at cmd.c:1503
#14 0x000000000040440a in main (argc=6, argv=0x7fffffffeb38) at radare2.c:550
(gdb) i f
Stack level 0, frame at 0x7fffffffd8a0:
rip = 0x7ffff3d59bee in __memcpy_sse2_unaligned; saved rip 0x7ffff7ba7260
called by frame at 0x7fffffffd8e0
Arglist at 0x7fffffffd890, args:
Locals at 0x7fffffffd890, Previous frame's sp is 0x7fffffffd8a0
Saved registers:
rip at 0x7fffffffd898
(gdb) i r
rax 0xfffffffffffffff0 -16
rbx 0x19791d0 26710480
rcx 0x0 0
rdx 0xffffffffffffffff -1
rsi 0x1981ee0 26746592
rdi 0x0 0
rbp 0x7fffffffd8d0 0x7fffffffd8d0
rsp 0x7fffffffd898 0x7fffffffd898
r8 0x1 1
r9 0xfffffffffffffff 1152921504606846975
r10 0x7fffffffd660 140737488344672
r11 0x7ffff3d59a70 140737284250224
r12 0x4026a0 4204192
r13 0x7fffffffeb30 140737488350000
r14 0x0 0
r15 0x0 0
rip 0x7ffff3d59bee 0x7ffff3d59bee <memcpy_sse2_unaligned+382>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

(gdb) !r2 -v
radare2 0.9.5git @ linux-little-x86-64 git.0.9.4-584-g3b95036
commit: 3b95036 build: 2013-11-06

—
Reply to this email directly or view it on GitHub.

[zonkzonk]

ok, Thanks for clarifying. Sadly here is a related 'Thing' to 'y -1':

$ r2 /bin/sh
-- Undefined symbol 'r__n_l_f_st_ng'
[0x00418390]> y 0
[0x00418390]> y a
*** Error in `r2': malloc(): memory corruption: 0x0000000001a24870 ***

Waiting for release now :)

[zonkzonk]

actually the 2nd 'Thing' seems to occur after each two invocation, see:

[0x00418390]> y -
[0x00418390]> y 0
*** Error in `r2': free(): invalid next size (fast): 0x0000000000fee0e0 ***