From bd2f7bc1f4f724218543c9153d8b9b0c0425d646 Mon Sep 17 00:00:00 2001
From: colton-gabertan <gabertan.colton@gmail.com>
Date: Thu, 24 Aug 2023 22:09:08 +0000
Subject: [PATCH] hotfix: fix indirect address dereference handling

---
 capa/features/extractors/ghidra/insn.py | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/capa/features/extractors/ghidra/insn.py b/capa/features/extractors/ghidra/insn.py
index 17fb9cc0..41787cc8 100644
--- a/capa/features/extractors/ghidra/insn.py
+++ b/capa/features/extractors/ghidra/insn.py
@@ -47,7 +47,7 @@ def check_for_api_call(insn, funcs: Dict[int, Any]) -> Iterator[Any]:
                 return
         else:
             return
-    elif ref_type in (addr_data, addr_code) or OperandType.isIndirect(ref_type):
+    elif ref_type in (addr_data, addr_code) or (OperandType.isIndirect(ref_type) and OperandType.isAddress(ref_type)):
         # we must dereference and check if the addr is a pointer to an api function
         addr_ref = capa.features.extractors.ghidra.helpers.dereference_ptr(insn)
         if not capa.features.extractors.ghidra.helpers.check_addr_for_api(
@@ -60,6 +60,11 @@ def check_for_api_call(insn, funcs: Dict[int, Any]) -> Iterator[Any]:
     else:
         # pure address does not need to get dereferenced/ handled
         addr_ref = insn.getAddress(0)
+        if not addr_ref:
+            # If it returned null, it was an indirect
+            # that had no address reference.
+            # This check is faster than checking for (indirect and not address)
+            return
         if not capa.features.extractors.ghidra.helpers.check_addr_for_api(
             addr_ref, mapped_fake_addrs, imports, externs
         ):
@@ -316,7 +321,7 @@ def extract_insn_cross_section_cflow(
                 return
         else:
             return
-    elif ref_type in (addr_data, addr_code) or OperandType.isIndirect(ref_type):
+    elif ref_type in (addr_data, addr_code) or (OperandType.isIndirect(ref_type) and OperandType.isAddress(ref_type)):
         # we must dereference and check if the addr is a pointer to an api function
         ref = capa.features.extractors.ghidra.helpers.dereference_ptr(insn)
         if capa.features.extractors.ghidra.helpers.check_addr_for_api(ref, mapped_fake_addrs, imports, externs):
@@ -326,6 +331,11 @@ def extract_insn_cross_section_cflow(
     else:
         # pure address does not need to get dereferenced/ handled
         ref = insn.getAddress(0)
+        if not ref:
+            # If it returned null, it was an indirect
+            # that had no address reference.
+            # This check is faster than checking for (indirect and not address)
+            return
         if capa.features.extractors.ghidra.helpers.check_addr_for_api(ref, mapped_fake_addrs, imports, externs):
             return