radareorg/radare2 6.1.6

on GitHub

Authors

AGhebrea AGhebrea Abhi Claude Dirk Mueller Dirk Mueller Hinotobi Mattia Galuppi Michał Mnich Ole André Vadla Ravnås Priyanshu Kumar WearyTraveller42 aviciano condret davidpolverari dependabot[bot] orbisai0security pancake pancake pancake phix33 phix33 potato randomjack94dev s-zaizen

Changes

abi

• Add command file string API
• Migrate RBinSymbols from RList to RVec
• Get rid of the backward compat r_core_cmd_calls (Use r_core_call)

anal

• Rename anal.flagstop to .flagbounds and clarify diff w/ anal.flagends
• Add anal.flagstop function boundary option
• Fix PPC positive conditional branches
• Fix garbage upper bits in xref/heap table size columns (ut64 casts)
• Add and test static x86 clobber cc metadata
• Add static x86 calling convention preserve metadata
• Add static x86 calling convention stack cleanup metadata
• Improve static and indirect call convention analysis
• Improve static x86 calling convention stack cleanup
• Stabilize register index ordering
• Honor calling convention register clobbers
• Track callee-popped stack arguments
• Resolve dynamic calling conventions lazily
• Add dynamic calling convention parser
• Generalize calling convention location accessors
• Use dyncc calling convention for isvm archs
• Add tests for static calling convention multi-return
• Fix static calling convention argument lookup
• Handle two-operand imul and idiv
• Use indexed return registers in calling conventions
• Initial support for multireturn in calling conventions
• Recover ObjC inheritance in analysis classes
• Better default fcn names, respect symbols
• Extend RBinMeta for Java/Dalvik/MSIL dynamic callconvs
• Stack based dynamic calling convention fix for Java
• Support dynamic calling conventions for Java and Dalvik
• Fix switch analysis for latest DEX
• Show branch cases in afbtj
• Speed up function basic block lookup a bit
• Keep SwitchOp.dependency ops in afbt, Vc and pdc
• Reduce type propagation churn and false positives
• Simplify type propagation backtrace state
• Tighten type trace access matching
• All public var apis use RVec now
• Configurable jumptable maxcases
• Fix stale Rust jump table bounds
• Fix x86 jump table autosizing for Rust niche switches
• Refactor jump table decoding and case analysis
• Clamp switch case counts and borrow register names
• Fix afbt script output and sparse zero entries
• Redesign and extend the jump/switch table API and commands
• Rename afj to afbt and add a test
• Fix arch value handling for stack operations
• Tighten x86 stack operand analysis
• Populate Xtensa value metadata for stack analysis
• Populate RISC-V stack value metadata
• Populate MIPS value metadata for stack analysis
• Fix ARM stack variable substitution
• Populate ARM value metadata for stack analysis
• Rewrite stack variable extraction around values
• Stop using ESIL in function analysis
• Fix MIPS register argument recovery
• Fix bug in 'as command' not showing the right syscall
• • The afbc forces the address to be the first of the basic block if any
• ArenaPushPop uses CoW optimization
• Fix infinite loop in the codemeta
• Support pining functions with custom emojis
• Fix CID 1654963,1654964,1654965 - check r_esil_get_parm_strs retval in set_mem dfg
• Fix CID 1654968 - check r_esil_get_parm_strs retval in esil_dfg
• Add missing anal.plugins.pre config var

analsys

• Rename anal.flagstop to .flagbounds and clarify diff w/ anal.flagends

analysis

• Add anal.flagstop function boundary option
• Fix PPC positive conditional branches
• Add and test static x86 clobber cc metadata
• Add static x86 calling convention preserve metadata
• Add static x86 calling convention stack cleanup metadata
• Improve static and indirect call convention analysis
• Improve static x86 calling convention stack cleanup
• Stabilize register index ordering
• Honor calling convention register clobbers
• Track callee-popped stack arguments
• Resolve dynamic calling conventions lazily
• Add dynamic calling convention parser
• Generalize calling convention location accessors
• Use dyncc calling convention for isvm archs
• Add tests for static calling convention multi-return
• Fix static calling convention argument lookup
• Handle two-operand imul and idiv
• Use indexed return registers in calling conventions
• Initial support for multireturn in calling conventions
• Recover ObjC inheritance in analysis classes
• Better default fcn names, respect symbols
• Extend RBinMeta for Java/Dalvik/MSIL dynamic callconvs
• Stack based dynamic calling convention fix for Java
• Support dynamic calling conventions for Java and Dalvik
• Fix switch analysis for latest DEX
• Show branch cases in afbtj
• Keep SwitchOp.dependency ops in afbt, Vc and pdc
• Reduce type propagation churn and false positives
• Simplify type propagation backtrace state
• Tighten type trace access matching
• All public var apis use RVec now
• Configurable jumptable maxcases
• Fix stale Rust jump table bounds
• Fix x86 jump table autosizing for Rust niche switches
• Refactor jump table decoding and case analysis
• Clamp switch case counts and borrow register names
• Fix afbt script output and sparse zero entries
• Redesign and extend the jump/switch table API and commands
• Rename afj to afbt and add a test
• Fix arch value handling for stack operations
• Tighten x86 stack operand analysis
• Populate Xtensa value metadata for stack analysis
• Populate RISC-V stack value metadata
• Populate MIPS value metadata for stack analysis
• Fix ARM stack variable substitution
• Populate ARM value metadata for stack analysis
• Rewrite stack variable extraction around values
• Stop using ESIL in function analysis
• Fix MIPS register argument recovery
• Fix bug in 'as command' not showing the right syscall
• • The afbc forces the address to be the first of the basic block if any
• ArenaPushPop uses CoW optimization
• Fix infinite loop in the codemeta
• Support pining functions with custom emojis
• Fix CID 1654963,1654964,1654965 - check r_esil_get_parm_strs retval in set_mem dfg
• Fix CID 1654968 - check r_esil_get_parm_strs retval in esil_dfg
• Add missing anal.plugins.pre config var

api

• Move markdown rendering code into a separate file

arch

• Add OpType/ESIL for PPC dword shifts, X-form ld/st, cntlz, mulh, CR moves
• Fix signed/endian branch-target analysis in vax, dalvik, xap, arm.gnu and java
• Fix sparc.gnu endian disassembly
• Fix capstone v5 M68K patch application
• More BE fixes even for capstone
• m68k big endian capstone bug patch
• More arch goodies for virtual regs
• Update wasm3 support for try/mmx ops
• Fix aarch64 big endian be8
• Update capstone v5/next for the x86 perf boost
• Fix STM8 pointer offset operands and jump targets
• Add opt-in Zydis x86 arch plugin
• Optimize the cs_len_prefix_opcode helper for x86
• Add RArchInfo.WODST for archs with write-only destination operands
• Stack allocate insn to avoid malloc/free in arm.cs
• V850 ESIL: Fix flags, sign-extension, bit ops, shifts
• Fix v860 esil sign, bit ops like shifts and update flags

asm

• Cleanup ppc.nz handlers and emit_ppc comments
• Add ppc.nz r_asm encoder plugin
• Refactor r_num_math error handling in asm
• Fix memory leak in x86_nz parseOpcode error paths

bin

• Add remove class ..field/:inheritance info with ic[+-]
• Fix per-section reloc cap dropping relocs on multi-section ET_REL objects
• Fix signed-char Swift super-class and field-type parsing in mach0
• Fix iS/iSS flags column showing garbage upper bits
• Emit dynamic calling conventions from bin metadata
• Implement RBinPlugin.getCc for dotnet,java,dex,python and wasm
• Parse valid wasm sections 12 and 13 (datacount + tag)
• RBinStrings are now stored in a vector
• Speed up COFF bigobj loading
• Preallocate flag storage from cbin
• Store flag names in arena and fix DEX leaks
• Keep trimmed RBinString.length sync
• Fix objc/macho/swift parsing bugs on big endian
• Dettach reloc_fixups from load_unnamed
• Migrate RBinSection store from RList to RVec
• Invalidate addr2klassmethod when ic- removes a method
• Use RVec for Mach-O reloc fixups
• Add r_bin_class_add_method and surface class methods
• Use chained fixup page size for mach0 swizzle chunks
• Fix Coverity static analysis findings
• Avoid stale COFF relocation symbol pointers
• Fix integer overflows in dex_parse_class_method_addrline
• Add bin.meta config var to permit disabling the codemeta info
• Lazy-load DEX addrline debug info
• Extend 'ies' for Dalvik onCreate symbol entrypoints
• Skip abstract methods when listing dalvik entrypoints
• Add bin.classes.namesonly option to skip method/field parsing
• Fix macho-swift/objc metadata leaks
• Map DEX code sections after method headers
• Limit DEX_PROTO_STACK_PARAMS to 64
• Fix the MAX_DEX_PARAMS warning happening in some dex
• Fix huge macho chained fixup memory leak
• Add bin.relocs.xrefs to avoid creating them if not needed
• Parse side support for binunnamed for elf, som, dyldcache and more
• Extend bin.unnamed to other file formats
• Add RBinOptions.loadUnnamed via bin.unnamed to not load unnamed symbols
• Preserve xtr bin info when metadata is partial
• Add bin.flags to skip bin symbol flags
• Fix double free in r_bin_import_free
• Fix DWARF compilation directory metadata leak
• Guard large id* scripts, reduce dwarf memory usage more and fix ^C trap
• Warn on huge DWARF debug info loads
• Dont do drama when loading libraries without entrypoint
• Trim bin startup metadata with the help of a profiler
• Handle more PPC64 reloc types and BE-aware reloc patching
• Port the sep64 binxtr plugin to fs
• Initial refactoring of the binxtr plugins as rfs ones
• Ignore fatmacho magics in the java bin plugin
• Fix #25859 - entrypoint with overlapped elf segments
• Fix CID 1654967 - widen addr_sym_table to ut64 in load_symbols_from_phdr
• Add ii+ and ii- to add/remove imports at will
• Fixes v2p/p2v conversion for in-memory ELFs
• Handle ABS32 and GLOB_DAT relocs for arm32
• Force fallback to phdr parsing when stringtab fails in ELF
• Fix buffer size when parsing binaries from memory
• Reduce double derefs in dex for perf reasons
• Fix detection of stripped Swift machos
• Reduce double derefs in elf for perf reasons
• Parse and display DER signatures in macho (iC command)
• Expose DYLD_ENVIRONMENT, __RESTRICT and MH_APP_EXTENSION_SAFE via sdb
• Kill the hacky RABIN2_CODESIGN_VERBOSE hack using rbinoptions
• Expose macho signing type in the sdb
• Reduce double derefs i macho for perf reasons
• Support globs in the symclass patterns
• Add fortify and asan symbol names
• Refine mach0 is_pie and has_nx (heap and stack) checks

build

• Fix all warnings spotted by GCC-15. Hello Ubuntu26
• Hide otezip symbols from libr_util
• Fix the dist tarball and test it in the ci
• This slots naming is a Qt keyword conflicting with iaito

ci

• Allow Coverity Scan workflow failures
• Publish tcc r2r report in CI
• Run more tests and fix crossmbuild mipsbe
• Avoid libatomic when linking wasm r2r
• Add big endian testsuite runs
• Link Zydis in iOS blob build
• • Disable Zydis in Fil-C builds
• • Link bundled Zydis in static builds

cons

• Add R_PRINTF_CHECK to r_cons_printf and fix the format-width bugs it surfaces
• Add strikethrough support the markdown renderer
• Support italic and bold markdown
• Fix terminal mouse escape parsing

core

• Clean up line seek cache rebuild
• Expose dynamic calling convention inspection
• Double free in visual mode when highlighting string >= 32 chars
• Prompt to rebuild outdated r2pm plugins
• Report invalid dotted eval keys
• Iterate over the external plugin system once again
• Custom internal plugin reorder and unify plugin storage

crash

• Fix gdb's stop reason exec path lifetime
• Fix #25992 - Sanitize library names in il* and add obf base64:
• Use strbuf for GDB XML register profiles
• Fix #25974 - oversized GDB XML code pointer aliases
• Fix #25977 - oversized GDB register cache writes
• Fix parseCodeDirectory OOB Read
• Avoid unbounded memcpy in gdb’s handle_vFile_pread
• Fix Mach-O chained fixups starts bounds
• Fix Dalvik get_name ownership mismatch
• Dont crash when RMagic dataset is not installed
• Stabilize bin vectors before reloc creation
• Fix use-after-free when commenting in visual mode
• Fix double free in r_bin_import_free
• Fix #25918 - Fix out of bounds read in RBin.PE.getName
• Preallocating 7GB of DWARF dies makes kernels unhappy
• Fix memcpy UB with 0 and sign type for winkd
• Fix #25886 - null deref in corrupted dwarf
• Fix #25872 - null deref in r2fload
• Fix int ovf allocation macho bugs spotted by @apkunpacker
• Fix memory exhaustion on corrupted DEX
• Fix CID 1655150 - clamp num_annotations and dedupe rtv/rti helpers in shlr/java
• Fix null deref in default cc
• Fix lot of vulns in shlr/java
• Fix integer overflow in java extract_type_value
• Fix #25840 - OOB read in Java class parser and simplify ref-name building
• Fix #25835 and #25836 - UAFs in the gdb remote protocol
• Properly null-terminate readlink() buffer - fixes UB in r2pm
• Fix an offby1 in rasm2+stdin with r_str_ntrim

debug

• Enforce syscall number lookup and add more tracing tests
• Fix register response too large warning in gdb client
• Reduce DWARF debug info memory usage
• Group debugger configuration in RDebugOptions
• Add support for syscall tracing in FreeBSD
• Add Linux fasttime debugger support
• Add syscall enter and leave hooks
• Add parameter format for all syscalls
• Add checkpoint replay api and commands
• Fix dx restore
• Ignore unknown breakpoints by default and show some help
• Add missing eiz register for the x64-32 profile
• Sync cpu flags definitions in all the intel reg profiles
• Fix YMM stitching loop to iterate 8 regs for 32-bit targets
• Fix print_fpu to use runtime bits check instead of compile-time
• Add missing vec64 mm0-mm7 and vec128 xmm0-xmm7 to x64-32 regprofile
• Fix FPU st0-st7 register size from .64 to .80 in x64-32 regprofile
• Fix i386 syscall calling convention aliases in x64-32 regprofile
• Fix 4 byte oobread in ptrace_setregs for Linux-x86_64_32
• Fix #9995 and #15255 - DRX regprofile for 32 on 64-bit hosts

disasm

• Memoize the current basic block in RDisasmState
• Fix big-endian bugs in the disasm refs
• Add ahie to specify an enum type hint for imms
• Use disasm api instead of commands in pdr
• Use RVec in Reflines
• Dynamically pick the needed decoding features in the disassembler
• Display function pins in the disassembly

doc

• Document dynamic calling conventions

egg

• Refactor ppc emitter helpers; default ragg2 endian from arch
• Add REggEmit priv hooks; move ppc emitter state off file-scope statics
• Update ppc emitter for REggEmit RStrBuf migration
• Treat -c bigendian without value as truthy in ragg2
• Add PowerPC support to ragg2
• Fix #15468 - ragg2 -P/-B/-w now work on archs without an egg backend
• Add example programs and ragg2 regression tests for egg
• Rewrite the ESIL backend in ragg2/egg as an expression compiler
• Add raw-register syntax and parser cleanups in ragg2/egg

esil

• Add ESIL for ppc byte-reverse loads/stores and fix opex invalid-reg crash
• Skip op decode for hard pins in ESIL step
• Use explicit ESIL interfaces in analysis helpers
• Use explicit ESIL interfaces for aop cost
• Setup ESIL DFG instances through r_esil_setup
• Fix ESIL voyeur initialization and empty write hooks
• Add packed register sizes to ESIL interfaces
• Wire ESIL BITS through util interfaces
• Keep caller ESIL interfaces during setup
• Add explicit ESIL interfaces and voyeurs
• Heapless emulation using the new sliced strings
• Honor failed IO reads in ESIL memory callbacks
• Fix voyeur index in r_esil_mem_write
• Clamp shift amount in esil >>=[N] helper
• Fix stray stack push in esil %=[N] helper
• Fix null anal deref in pdo / r_esil_toc_new
• Unbroke 4 FPU emulation tests
• Add more esil step back tests
• Fix ESIL trace register rollback off-by-one
• Return false on oversized ESIL parser tokens

flags

• Avoid double name filtering in r_flag_set

fs

• Initial support for the plan9 Fossil FileSystem
• Add fsoptions and welcome the 9fs support

graph

• Two dimensional scrolling with urxvt events

io

• Explicit sperm listings for RIOMaps and RIORegions
• Warn when map resize is ignored due to new size being 0
• Fix zero size/resize for gzip, malloc, null and xattr

lang

• Improve error handling in r2fload qjs
• Fix all the memory leaks in the qjs plugin

magic

• Fix CRLF parsing in RMagic needed for windows

perf

• Improve RBitMap and fix some bugs
• Cache DEX prototypes to not rebuild signatures
• Use RBitmap in Dex.isClassIndexInClasses (O(n^n) => O(n))
• Cache ELF bits detection (6x faster loads)
• Use HtPP instead of Sdb and inline node shortcuts
• Use RVec and Sets in more graph places
• Use RVec instead of RList in the asciiart graph
• Use RVec.findSorted in disasm and core analysis

print

• Enjoy utf8 cursors in disasm
• Add emoji name support, and use it from aflp
• Show function/bb/flag color in aflj and afl=
• Add bbcolor/flagcolor in navbar json

projects

• Improve module id and support debugger and r2frida
• Refactor newprj into separate files
• Implement project diffing subcommand
• Save localvars, types and callconv in newprj
• Support function/bbs/colors in newprj
• Save/restore xrefs in newprj
• Honor prj.new on load
• Save eval vars in new projects
• Save flagspaces and other flag attributes in new projects
• Register prj plugin tab autocompletion
• Implement prj open to start on a clean session
• Fix a bunch of UB and logic bugs in the new projects
• Ignore symlinked notes

pseudo

• Fix pdco output
• Supress jmps when they are actually switches in pdc

r2r

• Fix dyncc tests on mipsbe
• Use posix_spawnp for r2r child processes
• Fix r2r subprocess reaping race

reg

• Consolidate vregs banks and regprofile parsing
• Dont warn regprofiles without A0
• Add virtual register banks

sandbox

• Fix #25803 - Replace execl with execlp on r_sandbox_system

search

• Rename /G to /ag and improved gadget classification
• Add gadget.esil to classify conditional branches
• ROP search it's now /G and we have rop.cond
• Improve deterministic syscall search

security

• Confine project deletion to dir.projects
• Fix cmdinj via DWARF filenames in the CL* emitters
• Fix cmdinj in agn/age emitters
• Fix cmd injection via raw type names in txg graph script
• Fix cmd injection via raw DWARF file/line in CL/CC emitter
• Fix cmd injection via raw class names in icg graph script
• Fix command injection in project's comment replay
• Fix 3 command injection bugs related to varnames
• Fix cmd injection via unsanitized DWARF arg name in afsv

shell

• Add RCons.yesNoBut and use it to permit deleting onprompt load
• Add scr.font.* and the new utf8 fonts support
• Check VISUAL first, then EDITOR when deciding cfg.editor
• Add scr.prompt.r2pm for r2pm rebuild prompts
• Swap /g and /ag - gadget vs graph
• Better spot invalid 's' subcommands
• Add cat -m to expose the markdown renderer api
• Fix repeated command parsing after semicolons
• Fix wrong relative seeks +3+1 != 9
• Add CCb basic-block comment listing
• Add CLLb basic-block source listing
• New ?(){}{} conditional syntax
• Hello miniclippy!
• Implement ls -a to list hidden files too

socket

• Expose all HTTP request headers in RSocketHTTPRequest

syscall

• Add PowerPC linux syscall definitions

tools

• Fix rasm2 show_analinfo leaks on text path
• Fix rasm2 -f - stdin skip to use the slurped length

types

• Switch c2 types parser to use the rstrs api

util

• Add PJ's api to append an rjson
• Use r_hex_from_byte in asn1_str
• Fix large regex matcher state comparison
• Remove r_snprintf and bump ABI version
• Introduce RBitSet data structure
• Implement RVec.findSorted using skiplist tricks
• Add hidden sandbox grain
• Fix #16549 - r_regex_init leaks when called on initialized RRegex
• Initial implementation of the string slice&store api

visual

• Initialize visual ESIL analysis context
• Fix unaligned ops with mouse wheel scroll

windows

• Add r_str_iendswith for case insensitive extensions