Fix: exception records in PE Images

PE RUNTIME_FUNCTION structures in the exception section of X86-64 executables don't always point to the beginning of procedures. If the UNWIND_INFO Flags indicate that the RUNTIME_FUNCTION structure is UNW_FLAG_CHAININFO, then the "function start address" may actually be pointing to any code block inside the procedure, and cannot be used as a pointer to a procedure.
uxmal · May 31, 2024 · 7338c01 · 7338c01
1 parent 375dd95
commit 7338c01
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 3 deletions.
diff --git a/src/Decompiler/Analysis/DataFlowAnalysis.cs b/src/Decompiler/Analysis/DataFlowAnalysis.cs
@@ -341,7 +341,7 @@ public void DumpWatchedProcedure(string phase, string caption, SsaState ssa)
  {
 
  DumpWatchedProcedure(phase, caption, ssa.Procedure);
-#if !FIND_BUGS
+#if FIND_BUGS
 // This is currently disabled because of hard-to-fix problems with the UnalignedMemoryAccessFuser
  ssa.Validate(s =>
  {

diff --git a/src/ImageLoaders/MzExe/PeImageLoader.cs b/src/ImageLoaders/MzExe/PeImageLoader.cs
@@ -1011,8 +1011,24 @@ public void ReadExceptionRecords(
  while (rdr.Offset < rvaTableEnd)
  {
  var addr = addrLoad + rdr.ReadLeUInt32();
- rdr.Seek(8);
- AddFunctionSymbol(addr, symbols);
+ var addrEnd = addrLoad + rdr.ReadLeUInt32();
+ var addrUnwind = addrLoad + rdr.ReadLeUInt32();
+
+ var rdrUnwind = this.imgLoaded.CreateLeReader(addrUnwind);
+ var flags = rdrUnwind.ReadByte();
+ var cbProlog = rdrUnwind.ReadByte();
+ var cUnwindCodes = rdrUnwind.ReadByte();
+ var frameReg = rdrUnwind.ReadByte();
+
+ const int UNW_FLAG_CHAININFO = 0x20;
+ if ((flags & 0xF0) != UNW_FLAG_CHAININFO)
+ {
+ // Only visit handlers that don't have the UNW_FLAG_CHAININFO
+ // flag set. If the flag _is_ set, then addr is pointing into
+ // the middle of a procedure. Such addresses shouldn't be used 
+ // as function symbol addresses.
+ AddFunctionSymbol(addr, symbols);
+ }
  }
  break;
  case MACHINE_R4000: