Jump to content
Tuts 4 You

IDA Pro COFF Debug Info Parsing Bug


Recommended Posts


In this post i will share something that may be considered as a bug in IDA. The bug is as follows:

If we manipulate the value of the "NumberOfSymbols" field in the "IMAGE_COFF_SYMBOLS_HEADER" structure, we can force IDA to abort processing the whole PE and quickly terminate.


When manipulating this field, just make sure to set a compatible value for the "SizeOfData" field in the "IMAGE_DEBUG_DIRECTORY" structure and also have a compatible file size by appending null bytes to the file end.


When calculating the required memory size for symbol entries using the spoofed value, IDA detects an overflow.


After clicking the ok button in the image above, IDA quickly terminates.

You can find a demo

here. It has the "NumberOfSymbols" field set to 0xE38EEDB5 and the "SizeOfData" fied set to 0xFFFFF. It has been tested on IDA 6.2 Demo version and IDA 6.3.

A quick workaround is to temporarily disable the "loaders\dbg.ldw" module.

Any comments or ideas are very welcome.

You can follow me @waleedassar

Link to comment
Share on other sites

nice, and i really like your blog! :) keep it up.

btw, iirc hexrays offers a bounty program for vulnerabilities in IDA...this may not be one, just a general note. ;)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...