Fix operand list iterators being validated when appending new instructions

bdash · bdash · commit cbc66f931da1 · 2026-03-19T08:43:51.000-07:00
The iterators now store an offset into the operand storage, rather than
a pointer. Deferencing the iterator retrieves the value at that offset
from the IL function.

This issue existed prior to the operand list storage refactor, but
became easier to hit after that change. The separate operand list vector
is smaller and thus more likely to reallocate when a new instruction is
appended.
diff --git a/binaryninjacore.h b/binaryninjacore.h
@@ -37,14 +37,14 @@
 // Current ABI version for linking to the core. This is incremented any time
 // there are changes to the API that affect linking, including new functions,
 // new types, or modifications to existing functions or types.
-#define BN_CURRENT_CORE_ABI_VERSION 160
+#define BN_CURRENT_CORE_ABI_VERSION 161
 
 // Minimum ABI version that is supported for loading of plugins. Plugins that
 // are linked to an ABI version less than this will not be able to load and
 // will require rebuilding. The minimum version is increased when there are
 // incompatible changes that break binary compatibility, such as changes to
 // existing types or functions.
-#define BN_MINIMUM_CORE_ABI_VERSION 160
+#define BN_MINIMUM_CORE_ABI_VERSION 161
 
 #ifdef __GNUC__
 	#ifdef BINARYNINJACORE_LIBRARY
@@ -6445,7 +6445,7 @@ extern "C"
 	BINARYNINJACOREAPI uint64_t* BNLowLevelILGetOperandList(
 	    BNLowLevelILFunction* func, size_t expr, size_t operand, size_t* count);
 	BINARYNINJACOREAPI void BNLowLevelILFreeOperandList(uint64_t* operands);
-	BINARYNINJACOREAPI const uint64_t* BNLowLevelILGetOperandPointer(
+	BINARYNINJACOREAPI uint64_t BNLowLevelILGetOperand(
 	    BNLowLevelILFunction* func, size_t offset);
 
 	BINARYNINJACOREAPI size_t BNCacheLowLevelILPossibleValueSet(BNLowLevelILFunction* func, BNPossibleValueSet* pvs);
@@ -6604,7 +6604,7 @@ extern "C"
 	BINARYNINJACOREAPI uint64_t* BNMediumLevelILGetOperandList(
 	    BNMediumLevelILFunction* func, size_t expr, size_t operand, size_t* count);
 	BINARYNINJACOREAPI void BNMediumLevelILFreeOperandList(uint64_t* operands);
-	BINARYNINJACOREAPI const uint64_t* BNMediumLevelILGetOperandPointer(
+	BINARYNINJACOREAPI uint64_t BNMediumLevelILGetOperand(
 	    BNMediumLevelILFunction* func, size_t offset);
 
 	BINARYNINJACOREAPI size_t BNCacheMediumLevelILPossibleValueSet(BNMediumLevelILFunction* func, BNPossibleValueSet* pvs);
@@ -6767,7 +6767,7 @@ extern "C"
 	BINARYNINJACOREAPI uint64_t* BNHighLevelILGetOperandList(
 	    BNHighLevelILFunction* func, size_t expr, size_t operand, size_t* count);
 	BINARYNINJACOREAPI void BNHighLevelILFreeOperandList(uint64_t* operands);
-	BINARYNINJACOREAPI const uint64_t* BNHighLevelILGetOperandPointer(
+	BINARYNINJACOREAPI uint64_t BNHighLevelILGetOperand(
 	    BNHighLevelILFunction* func, size_t offset);
 
 	BINARYNINJACOREAPI size_t BNCacheHighLevelILPossibleValueSet(BNHighLevelILFunction* func, BNPossibleValueSet* pvs);
diff --git a/highlevelilinstruction.cpp b/highlevelilinstruction.cpp
@@ -288,26 +288,26 @@ bool HighLevelILIntegerList::ListIterator::operator<(const ListIterator& a) cons
 HighLevelILIntegerList::ListIterator& HighLevelILIntegerList::ListIterator::operator++()
 {
 	count--;
-	cur++;
+	offset++;
 	return *this;
 }
 
 
 uint64_t HighLevelILIntegerList::ListIterator::operator*()
 {
-	return *cur;
+#ifdef BINARYNINJACORE_LIBRARY
+	return function->GetOperand(offset);
+#else
+	return BNHighLevelILGetOperand(function->GetObject(), offset);
+#endif
 }
 
 
 HighLevelILIntegerList::HighLevelILIntegerList(
     HighLevelILFunction* func, size_t offset, size_t count)
 {
 	m_start.function = func;
-#ifdef BINARYNINJACORE_LIBRARY
-	m_start.cur = func->GetOperandPointer(offset);
-#else
-	m_start.cur = BNHighLevelILGetOperandPointer(func->GetObject(), offset);
-#endif
+	m_start.offset = offset;
 	m_start.count = count;
 }
 
@@ -322,7 +322,7 @@ HighLevelILIntegerList::const_iterator HighLevelILIntegerList::end() const
 {
 	const_iterator result;
 	result.function = m_start.function;
-	result.cur = m_start.cur + m_start.count;
+	result.offset = m_start.offset + m_start.count;
 	result.count = 0;
 	return result;
 }
@@ -338,7 +338,11 @@ uint64_t HighLevelILIntegerList::operator[](size_t i) const
 {
 	if (i >= size())
 		throw HighLevelILInstructionAccessException();
-	return m_start.cur[i];
+#ifdef BINARYNINJACORE_LIBRARY
+	return m_start.function->GetOperand(m_start.offset + i);
+#else
+	return BNHighLevelILGetOperand(m_start.function->GetObject(), m_start.offset + i);
+#endif
 }
 
 
diff --git a/highlevelilinstruction.h b/highlevelilinstruction.h
@@ -196,7 +196,7 @@ namespace BinaryNinja
 #else
 			Ref<HighLevelILFunction> function;
 #endif
-			const uint64_t* cur;
+			size_t offset;
 			size_t count;
 
 			bool operator==(const ListIterator& a) const;
diff --git a/lowlevelilinstruction.cpp b/lowlevelilinstruction.cpp
@@ -597,26 +597,26 @@ bool LowLevelILIntegerList::ListIterator::operator<(const ListIterator& a) const
 LowLevelILIntegerList::ListIterator& LowLevelILIntegerList::ListIterator::operator++()
 {
 	count--;
-	cur++;
+	offset++;
 	return *this;
 }
 
 
 uint64_t LowLevelILIntegerList::ListIterator::operator*()
 {
-	return *cur;
+#ifdef BINARYNINJACORE_LIBRARY
+	return function->GetOperand(offset);
+#else
+	return BNLowLevelILGetOperand(function->GetObject(), offset);
+#endif
 }
 
 
 LowLevelILIntegerList::LowLevelILIntegerList(
     LowLevelILFunction* func, size_t offset, size_t count)
 {
 	m_start.function = func;
-#ifdef BINARYNINJACORE_LIBRARY
-	m_start.cur = func->GetOperandPointer(offset);
-#else
-	m_start.cur = BNLowLevelILGetOperandPointer(func->GetObject(), offset);
-#endif
+	m_start.offset = offset;
 	m_start.count = count;
 }
 
@@ -631,7 +631,7 @@ LowLevelILIntegerList::const_iterator LowLevelILIntegerList::end() const
 {
 	const_iterator result;
 	result.function = m_start.function;
-	result.cur = m_start.cur + m_start.count;
+	result.offset = m_start.offset + m_start.count;
 	result.count = 0;
 	return result;
 }
@@ -647,7 +647,11 @@ uint64_t LowLevelILIntegerList::operator[](size_t i) const
 {
 	if (i >= size())
 		throw LowLevelILInstructionAccessException();
-	return m_start.cur[i];
+#ifdef BINARYNINJACORE_LIBRARY
+	return m_start.function->GetOperand(m_start.offset + i);
+#else
+	return BNLowLevelILGetOperand(m_start.function->GetObject(), m_start.offset + i);
+#endif
 }
 
 
diff --git a/lowlevelilinstruction.h b/lowlevelilinstruction.h
@@ -385,7 +385,7 @@ namespace BinaryNinja
 #else
 			Ref<LowLevelILFunction> function;
 #endif
-			const uint64_t* cur;
+			size_t offset;
 			size_t count;
 
 			bool operator==(const ListIterator& a) const;
diff --git a/mediumlevelilinstruction.cpp b/mediumlevelilinstruction.cpp
@@ -320,26 +320,26 @@ bool MediumLevelILIntegerList::ListIterator::operator<(const ListIterator& a) co
 MediumLevelILIntegerList::ListIterator& MediumLevelILIntegerList::ListIterator::operator++()
 {
 	count--;
-	cur++;
+	offset++;
 	return *this;
 }
 
 
 uint64_t MediumLevelILIntegerList::ListIterator::operator*()
 {
-	return *cur;
+#ifdef BINARYNINJACORE_LIBRARY
+	return function->GetOperand(offset);
+#else
+	return BNMediumLevelILGetOperand(function->GetObject(), offset);
+#endif
 }
 
 
 MediumLevelILIntegerList::MediumLevelILIntegerList(
     MediumLevelILFunction* func, size_t offset, size_t count)
 {
 	m_start.function = func;
-#ifdef BINARYNINJACORE_LIBRARY
-	m_start.cur = func->GetOperandPointer(offset);
-#else
-	m_start.cur = BNMediumLevelILGetOperandPointer(func->GetObject(), offset);
-#endif
+	m_start.offset = offset;
 	m_start.count = count;
 }
 
@@ -354,7 +354,7 @@ MediumLevelILIntegerList::const_iterator MediumLevelILIntegerList::end() const
 {
 	const_iterator result;
 	result.function = m_start.function;
-	result.cur = m_start.cur + m_start.count;
+	result.offset = m_start.offset + m_start.count;
 	result.count = 0;
 	return result;
 }
@@ -370,7 +370,11 @@ uint64_t MediumLevelILIntegerList::operator[](size_t i) const
 {
 	if (i >= size())
 		throw MediumLevelILInstructionAccessException();
-	return m_start.cur[i];
+#ifdef BINARYNINJACORE_LIBRARY
+	return m_start.function->GetOperand(m_start.offset + i);
+#else
+	return BNMediumLevelILGetOperand(m_start.function->GetObject(), m_start.offset + i);
+#endif
 }
 
 
diff --git a/mediumlevelilinstruction.h b/mediumlevelilinstruction.h
@@ -247,7 +247,7 @@ namespace BinaryNinja
 #else
 			Ref<MediumLevelILFunction> function;
 #endif
-			const uint64_t* cur;
+			size_t offset;
 			size_t count;
 
 			bool operator==(const ListIterator& a) const;

Original file line number	Diff line number	Diff line change
`@@ -288,26 +288,26 @@ bool HighLevelILIntegerList::ListIterator::operator<(const ListIterator& a) cons`
`288`	`288`	`HighLevelILIntegerList::ListIterator& HighLevelILIntegerList::ListIterator::operator++()`
`289`	`289`	`{`
`290`	`290`	`count--;`
`291`		`- cur++;`
	`291`	`+ offset++;`
`292`	`292`	`return *this;`
`293`	`293`	`}`
`294`	`294`
`295`	`295`
`296`	`296`	`uint64_t HighLevelILIntegerList::ListIterator::operator*()`
`297`	`297`	`{`
`298`		`- return *cur;`
	`298`	`+#ifdef BINARYNINJACORE_LIBRARY`
	`299`	`+ return function->GetOperand(offset);`
	`300`	`+#else`
	`301`	`+ return BNHighLevelILGetOperand(function->GetObject(), offset);`
	`302`	`+#endif`
`299`	`303`	`}`
`300`	`304`
`301`	`305`
`302`	`306`	`HighLevelILIntegerList::HighLevelILIntegerList(`
`303`	`307`	`HighLevelILFunction* func, size_t offset, size_t count)`
`304`	`308`	`{`
`305`	`309`	`m_start.function = func;`
`306`		`-#ifdef BINARYNINJACORE_LIBRARY`
`307`		`- m_start.cur = func->GetOperandPointer(offset);`
`308`		`-#else`
`309`		`- m_start.cur = BNHighLevelILGetOperandPointer(func->GetObject(), offset);`
`310`		`-#endif`
	`310`	`+ m_start.offset = offset;`
`311`	`311`	`m_start.count = count;`
`312`	`312`	`}`
`313`	`313`
`@@ -322,7 +322,7 @@ HighLevelILIntegerList::const_iterator HighLevelILIntegerList::end() const`
`322`	`322`	`{`
`323`	`323`	`const_iterator result;`
`324`	`324`	`result.function = m_start.function;`
`325`		`- result.cur = m_start.cur + m_start.count;`
	`325`	`+ result.offset = m_start.offset + m_start.count;`
`326`	`326`	`result.count = 0;`
`327`	`327`	`return result;`
`328`	`328`	`}`
`@@ -338,7 +338,11 @@ uint64_t HighLevelILIntegerList::operator[](size_t i) const`
`338`	`338`	`{`
`339`	`339`	`if (i >= size())`
`340`	`340`	`throw HighLevelILInstructionAccessException();`
`341`		`- return m_start.cur[i];`
	`341`	`+#ifdef BINARYNINJACORE_LIBRARY`
	`342`	`+ return m_start.function->GetOperand(m_start.offset + i);`
	`343`	`+#else`
	`344`	`+ return BNHighLevelILGetOperand(m_start.function->GetObject(), m_start.offset + i);`
	`345`	`+#endif`
`342`	`346`	`}`
`343`	`347`
`344`	`348`
Original file line number	Diff line number	Diff line change
`@@ -597,26 +597,26 @@ bool LowLevelILIntegerList::ListIterator::operator<(const ListIterator& a) const`
`597`	`597`	`LowLevelILIntegerList::ListIterator& LowLevelILIntegerList::ListIterator::operator++()`
`598`	`598`	`{`
`599`	`599`	`count--;`
`600`		`- cur++;`
	`600`	`+ offset++;`
`601`	`601`	`return *this;`
`602`	`602`	`}`
`603`	`603`
`604`	`604`
`605`	`605`	`uint64_t LowLevelILIntegerList::ListIterator::operator*()`
`606`	`606`	`{`
`607`		`- return *cur;`
	`607`	`+#ifdef BINARYNINJACORE_LIBRARY`
	`608`	`+ return function->GetOperand(offset);`
	`609`	`+#else`
	`610`	`+ return BNLowLevelILGetOperand(function->GetObject(), offset);`
	`611`	`+#endif`
`608`	`612`	`}`
`609`	`613`
`610`	`614`
`611`	`615`	`LowLevelILIntegerList::LowLevelILIntegerList(`
`612`	`616`	`LowLevelILFunction* func, size_t offset, size_t count)`
`613`	`617`	`{`
`614`	`618`	`m_start.function = func;`
`615`		`-#ifdef BINARYNINJACORE_LIBRARY`
`616`		`- m_start.cur = func->GetOperandPointer(offset);`
`617`		`-#else`
`618`		`- m_start.cur = BNLowLevelILGetOperandPointer(func->GetObject(), offset);`
`619`		`-#endif`
	`619`	`+ m_start.offset = offset;`
`620`	`620`	`m_start.count = count;`
`621`	`621`	`}`
`622`	`622`
`@@ -631,7 +631,7 @@ LowLevelILIntegerList::const_iterator LowLevelILIntegerList::end() const`
`631`	`631`	`{`
`632`	`632`	`const_iterator result;`
`633`	`633`	`result.function = m_start.function;`
`634`		`- result.cur = m_start.cur + m_start.count;`
	`634`	`+ result.offset = m_start.offset + m_start.count;`
`635`	`635`	`result.count = 0;`
`636`	`636`	`return result;`
`637`	`637`	`}`
`@@ -647,7 +647,11 @@ uint64_t LowLevelILIntegerList::operator[](size_t i) const`
`647`	`647`	`{`
`648`	`648`	`if (i >= size())`
`649`	`649`	`throw LowLevelILInstructionAccessException();`
`650`		`- return m_start.cur[i];`
	`650`	`+#ifdef BINARYNINJACORE_LIBRARY`
	`651`	`+ return m_start.function->GetOperand(m_start.offset + i);`
	`652`	`+#else`
	`653`	`+ return BNLowLevelILGetOperand(m_start.function->GetObject(), m_start.offset + i);`
	`654`	`+#endif`
`651`	`655`	`}`
`652`	`656`
`653`	`657`
Original file line number	Diff line number	Diff line change
`@@ -320,26 +320,26 @@ bool MediumLevelILIntegerList::ListIterator::operator<(const ListIterator& a) co`
`320`	`320`	`MediumLevelILIntegerList::ListIterator& MediumLevelILIntegerList::ListIterator::operator++()`
`321`	`321`	`{`
`322`	`322`	`count--;`
`323`		`- cur++;`
	`323`	`+ offset++;`
`324`	`324`	`return *this;`
`325`	`325`	`}`
`326`	`326`
`327`	`327`
`328`	`328`	`uint64_t MediumLevelILIntegerList::ListIterator::operator*()`
`329`	`329`	`{`
`330`		`- return *cur;`
	`330`	`+#ifdef BINARYNINJACORE_LIBRARY`
	`331`	`+ return function->GetOperand(offset);`
	`332`	`+#else`
	`333`	`+ return BNMediumLevelILGetOperand(function->GetObject(), offset);`
	`334`	`+#endif`
`331`	`335`	`}`
`332`	`336`
`333`	`337`
`334`	`338`	`MediumLevelILIntegerList::MediumLevelILIntegerList(`
`335`	`339`	`MediumLevelILFunction* func, size_t offset, size_t count)`
`336`	`340`	`{`
`337`	`341`	`m_start.function = func;`
`338`		`-#ifdef BINARYNINJACORE_LIBRARY`
`339`		`- m_start.cur = func->GetOperandPointer(offset);`
`340`		`-#else`
`341`		`- m_start.cur = BNMediumLevelILGetOperandPointer(func->GetObject(), offset);`
`342`		`-#endif`
	`342`	`+ m_start.offset = offset;`
`343`	`343`	`m_start.count = count;`
`344`	`344`	`}`
`345`	`345`
`@@ -354,7 +354,7 @@ MediumLevelILIntegerList::const_iterator MediumLevelILIntegerList::end() const`
`354`	`354`	`{`
`355`	`355`	`const_iterator result;`
`356`	`356`	`result.function = m_start.function;`
`357`		`- result.cur = m_start.cur + m_start.count;`
	`357`	`+ result.offset = m_start.offset + m_start.count;`
`358`	`358`	`result.count = 0;`
`359`	`359`	`return result;`
`360`	`360`	`}`
`@@ -370,7 +370,11 @@ uint64_t MediumLevelILIntegerList::operator[](size_t i) const`
`370`	`370`	`{`
`371`	`371`	`if (i >= size())`
`372`	`372`	`throw MediumLevelILInstructionAccessException();`
`373`		`- return m_start.cur[i];`
	`373`	`+#ifdef BINARYNINJACORE_LIBRARY`
	`374`	`+ return m_start.function->GetOperand(m_start.offset + i);`
	`375`	`+#else`
	`376`	`+ return BNMediumLevelILGetOperand(m_start.function->GetObject(), m_start.offset + i);`
	`377`	`+#endif`
`374`	`378`	`}`
`375`	`379`
`376`	`380`