capstone icon indicating copy to clipboard operation
capstone copied to clipboard
verified publisher icon capstone-engine

Capstone displacement size is incorrect

Open HacMan137 opened this issue 10 months ago • 2 comments

I'm running into a weird issue with capstone where the following instruction:

66 0F 6F 05 DC A7 01 00

is presented as movdqa xmm0, xmmword ptr [rip + 0x1a7dc], however the disp_size value is 2 and disp_offset is 4. These two things do not agree with each other, because if the disp_size was 2 then the displacement bytes would be DC A7, which, when sign-extended would give a value of -22564 which should be added to the current value of rip. However, the string disassembly clearly shows the displacement as 0x1a7dc. After verifying against objdump and GDB, I can see that 0x1a7dc is the correct displacement value. This means that the disp_size should be coming back as 4, not 2.

Unless I'm missing something?

Tested with Capstone 5.0.5

Work environment

Questions Answers
System Capstone runs on OS/arch/bits PopOS x86-64
Capstone module affected x86
Source of Capstone git clone
Version/git commit v5.0.5:55261253c3f14d957c58382df82e61123dad45b9

Instruction bytes giving faulty results

66 0F 6F 05 DC A7 01 00

Expected results

It should be:

disp_size=4

Steps to get the wrong result

With Python

CODE = b'\x66\x0F\x6F\x05\xDC\xA7\x01\x00'

md = Cs(CS_ARCH_X86, CS_MODE_64)
md.detail = True
for insn in md.disasm(CODE, 0x1000):
  print(insn.disp_size)

HacMan137 avatar Jan 27 '25 19:01 HacMan137

Please use the issue template for bugs. Also, see the following discussion: https://github.com/capstone-engine/capstone/discussions/2505

Rot127 avatar Jan 27 '25 19:01 Rot127

Please use the issue template for bugs. Also, see the following discussion: #2505

Apologies - should be better now

HacMan137 avatar Jan 27 '25 19:01 HacMan137