Fix UB on empty trampoline template entries by ehgus607 · Pull Request #112 · GJDuck/e9patch

ehgus607 · 2026-06-27T12:52:08Z

Description

This PR fixes an undefined behavior in empty trampoline template handling.

Root Cause

When template is empty ([]), entries in e9json.cpp:201 can be empty, but code still accessed entries[0] in trampoline duplication. (e9json.cpp:210) That is out-of-bounds access (UB).

Reproduction

Build with debug STL checks:
make clean && CXXFLAGS='-D_GLIBCXX_DEBUG' make -j$(nproc) debug
Run:
./e9tool --backend ./e9patch -M 1 -P empty <binary>

Before fix: abort with vector out-of-bounds message.

hash@hash:~/e9patch$ ./e9tool --backend ./e9patch -M 1 -P empty /bin/true
/usr/include/c++/11/debug/vector:445:
In function:
    std::debug::vector<_Tp, _Allocator>::const_reference std::
    debug::vector<_Tp, _Allocator>::operator[](std::debug::vector<_Tp, 
    _Allocator>::size_type) const [with _Tp = Entry; _Allocator = 
    std::allocator<Entry>; std::debug::vector<_Tp, 
    _Allocator>::const_reference = const Entry&; std::debug::vector<_Tp, 
    _Allocator>::size_type = long unsigned int]

Error: attempt to subscript container with out-of-bounds index 0, but 
container only holds 0 elements.

Objects involved in the operation:
    sequence "this" @ 0x7ffd26853c40 {
      type = std::debug::vector<Entry, std::allocator<Entry> >;
    }

Fix

Add a guard so copy is done only when num_entries > 0.
This avoids accessing entries[0] when entries is empty.

McSinyx · 2026-06-27T13:47:28Z

    T->num_entries = num_entries;
-    memcpy(T->entries, &entries[0], num_entries * sizeof(Entry));
+    if (num_entries > 0)
+        memcpy(T->entries, entries.data(), num_entries * sizeof(Entry));


Hi, just want to note that the branching is not necessary here (and on whether it's desirable, I don't have any informed opinion).

The error message in my description is from libstdc++ debug mode. I also checked with UBSan, and it shows an error message for this exact same access. Accessing index 0 of an empty vector is an Undefined Behavior according to the C++ standard.

I agree that this bug might not be very critical in real situations. However, considering memory safety, I think it is better to keep this branch to prevent the UB explicitly.

I think @McSinyx was just pointing out that the branch if (num_entries > 0) could be technically removed from the patch, since if num_entries == 0 then entries.data() is still defined and memcpy is a nop. The original code was clearly UB however.

GJDuck · 2026-06-28T02:54:10Z

Thanks for the report and patch.

@McSinyx: you are right, but it's fine either way.

Fix UB on empty trampoline template entries

7e63069

McSinyx reviewed Jun 27, 2026

View reviewed changes

GJDuck merged commit 682ab1f into GJDuck:master Jun 28, 2026
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix UB on empty trampoline template entries#112

Fix UB on empty trampoline template entries#112
GJDuck merged 1 commit into
GJDuck:masterfrom
ehgus607:master

ehgus607 commented Jun 27, 2026

Uh oh!

McSinyx Jun 27, 2026

Uh oh!

ehgus607 Jun 28, 2026

Uh oh!

GJDuck Jun 29, 2026

Uh oh!

Uh oh!

GJDuck commented Jun 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

ehgus607 commented Jun 27, 2026

Description

Root Cause

Reproduction

Fix

Uh oh!

McSinyx Jun 27, 2026

Choose a reason for hiding this comment

Uh oh!

ehgus607 Jun 28, 2026

Choose a reason for hiding this comment

Uh oh!

GJDuck Jun 29, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

GJDuck commented Jun 28, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants