From 7a1067ad4a5c874b601b250fcf4b001e2caff951 Mon Sep 17 00:00:00 2001
From: practicalswift <practicalswift@users.noreply.github.com>
Date: Mon, 30 Nov 2015 23:44:49 +0100
Subject: [PATCH] Crash case: Invalid read of size 4 when tracing (MIPS32). See
 #282

---
 .gitignore                                    |  1 +
 tests/regress/Makefile                        |  1 +
 ...mips_invalid_read_of_size_4_when_tracing.c | 33 +++++++++++++++++++
 3 files changed, 35 insertions(+)
 create mode 100644 tests/regress/mips_invalid_read_of_size_4_when_tracing.c

diff --git a/.gitignore b/.gitignore
index 70a55b91..6efa5142 100644
--- a/.gitignore
+++ b/.gitignore
@@ -114,6 +114,7 @@ mem_map_large
 invalid_read_in_cpu_tb_exec
 invalid_write_in_cpu_tb_exec_x86_64
 x86_16_segfault
+mips_invalid_read_of_size_4_when_tracing
 
 
 #################
diff --git a/tests/regress/Makefile b/tests/regress/Makefile
index 5903b070..33a5f089 100644
--- a/tests/regress/Makefile
+++ b/tests/regress/Makefile
@@ -19,6 +19,7 @@ TESTS += mem_map_large
 TESTS += invalid_read_in_cpu_tb_exec
 TESTS += invalid_write_in_cpu_tb_exec_x86_64
 TESTS += x86_16_segfault
+TESTS += mips_invalid_read_of_size_4_when_tracing
 
 all: $(TESTS)
 
diff --git a/tests/regress/mips_invalid_read_of_size_4_when_tracing.c b/tests/regress/mips_invalid_read_of_size_4_when_tracing.c
new file mode 100644
index 00000000..d912a604
--- /dev/null
+++ b/tests/regress/mips_invalid_read_of_size_4_when_tracing.c
@@ -0,0 +1,33 @@
+#include <unicorn/unicorn.h>
+
+static void hook_code(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) {
+  printf("tracing\n");
+}
+
+#define HARDWARE_ARCHITECTURE UC_ARCH_MIPS
+#define HARDWARE_MODE UC_MODE_MIPS32
+
+#define MEMORY_STARTING_ADDRESS 0x1000000
+#define MEMORY_SIZE 2 * 1024 * 1024
+#define MEMORY_PERMISSIONS UC_PROT_ALL
+
+#define BINARY_CODE "00000000000000000000000000AA"
+
+int main(int argc, char **argv, char **envp) {
+  uc_engine *uc;
+  if (uc_open(HARDWARE_ARCHITECTURE, HARDWARE_MODE, &uc)) {
+    printf("uc_open(…) failed\n");
+    return 1;
+  }
+  uc_mem_map(uc, MEMORY_STARTING_ADDRESS, MEMORY_SIZE, MEMORY_PERMISSIONS);
+  if (uc_mem_write(uc, MEMORY_STARTING_ADDRESS, BINARY_CODE, sizeof(BINARY_CODE) - 1)) {
+    printf("uc_mem_write(…) failed\n");
+    return 1;
+  }
+  uc_hook trace;
+  uc_hook_add(uc, &trace, UC_HOOK_CODE, hook_code, NULL, (uint64_t)MEMORY_STARTING_ADDRESS, (uint64_t)(MEMORY_STARTING_ADDRESS + 1));
+  printf("uc_emu_start(…)\n");
+  uc_emu_start(uc, MEMORY_STARTING_ADDRESS, MEMORY_STARTING_ADDRESS + sizeof(BINARY_CODE) - 1, 0, 0);
+  printf("done\n");
+  return 0;
+}