Menu

#264 PE Analyzer: Crash/hang when viewing sections/disassembly in PE files with high 64-bit base addresses

Fixed
Vladimir Surguchev
PEAnalyzer (16)
Medium
Defect
2026-03-04
2026-03-03
Rohitab Batra
No

For PE files that have a high image base, e.g., fffff800'00000000, navigating into the Section directory causes Far to crash (terminate abnormally), while attempting to disassemble causes Far to hang indefinitely. See attached hvax64.exe for an example.

The first issue is caused by formatting a 64-bit address to a 16 character buffer. For large addresses, the required buffer is 17 characters, including the terminating NULL.

panel_view.cpp #L161 (sourceforge.net)

swprintf_s(custom_column_data[0] = new wchar_t[16], 16, L"%010llx", va);

The second issue is caused by right-shifting a 64-bit address by 64 bits or more, which results in undefined behavior.

disasm.cpp #L764 (sourceforge.net)

while (max_addr >> (4 * addr_chars_show_) != 0) ++addr_chars_show_;

Possible Fix

The following patch should fix both issues.

--- panel_view.cpp  (revision 638)
+++ panel_view.cpp  (working copy)
@@ -158,8 +158,8 @@

        const ULONGLONG va = idx < sections.size() ? (_pe->image_base() + sect.header.VirtualAddress) : 0;
        const ULONGLONG offset = ALIGN_DN(sect.header.PointerToRawData, _pe->file_alignment());

-       swprintf_s(custom_column_data[0] = new wchar_t[16], 16, L"%010llx", va);
-       swprintf_s(custom_column_data[1] = new wchar_t[16], 16, L"%010llx", offset);
+       swprintf_s(custom_column_data[0] = new wchar_t[17], 17, L"%010llx", va);
+       swprintf_s(custom_column_data[1] = new wchar_t[17], 17, L"%010llx", offset);

        item.CustomColumnData = custom_column_data;
        item.CustomColumnNumber = 2;
--- disasm.cpp  (revision 638)
+++ disasm.cpp  (working copy)
@@ -761,7 +761,7 @@
    const auto count = nsect + (tail_siz ? 1 : 0);

    const auto max_addr = image_base_ + sects_end + tail_siz;

-   while (max_addr >> (4 * addr_chars_show_) != 0) ++addr_chars_show_;
+   while (addr_chars_show_ != 16 && max_addr >> (4 * addr_chars_show_) != 0) ++addr_chars_show_;
    addr_column_width_ = addr_chars_show_ + 2; // ": "

    listing_.AddOneLine(comment_line);
1 Attachments
hvax64.exe.zip

Discussion

  • Vladimir Surguchev

    Vladimir Surguchev - 2026-03-03

    10X, try 3.10.26

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2026-03-03

    The second issue is caused by right-shifting a 64-bit address by 64 bits or more, which results in undefined behavior.

    Yes...I naively believed that a 64-bit right shift is equal to 2 shifts by 32 bits (or 16 shifts by 4) and is guaranteed to give 0 for a 64-bit unsigned integer.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2026-03-03
    • status: New --> Accepted
    • assigned_to: Vladimir Surguchev
     

  • Rohitab Batra

    Rohitab Batra - 2026-03-03

    Thank you. This issue is resolved.

    Address Column Width
    I noticed that you also made the width of the Address column dynamic, which is great. However, the column width is only initialized for the first PE file that is opened.

    So, if you open a PE file with a smaller image base, then one with a larger image base, the column width will remain small, and the address will be truncated and displayed with an ellipsis.

    Similarly, if you open a file with a large image base first, then the column width will remain large, and files with a smaller image base will display the address padded with extra zero's.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2026-03-04

    3.10.27

     

  • Rohitab Batra

    Rohitab Batra - 2026-03-04

    Perfect. Thank you, much appreciated.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2026-03-04
    • status: Accepted --> Fixed
     

Anonymous
Anonymous

Add attachments
Cancel





MongoDB Logo MongoDB