Fix use-after-free of enum type id in set_int_display_type

ChrisKader · ChrisKader · commit 53a8d796713e · 2026-06-06T02:54:45.000-05:00
`set_int_display_type` converted the optional enumeration type id to an owned
C string, then moved it into a closure to take its pointer. The C string was
dropped at the end of that closure, before `BNSetIntegerConstantDisplayType`
ran, so the FFI call read freed memory and stored a garbage type id for the
enumeration display. As a result an integer operand set to
EnumerationDisplayType never resolved to its enumeration and rendered as a
raw constant. Borrow the owned C string instead so it outlives the call.
diff --git a/rust/src/function.rs b/rust/src/function.rs
@@ -1945,7 +1945,11 @@ impl Function {
     ) {
         let arch = arch.unwrap_or_else(|| self.arch());
         let enum_display_typeid = enum_display_typeid.map(IntoCStr::to_cstr);
+        // Borrow the owned C string rather than moving it into `map`, otherwise it is dropped
+        // before the FFI call below and `BNSetIntegerConstantDisplayType` reads freed memory,
+        // storing a garbage type id for the enumeration.
         let enum_display_typeid_ptr = enum_display_typeid
+            .as_ref()
             .map(|x| x.as_ptr())
             .unwrap_or(std::ptr::null());
         unsafe {
