radareorg · trufae · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025
diff --git a/libr/anal/p/anal_tp.c b/libr/anal/p/anal_tp.c
@@ -1375,6 +1375,9 @@ static inline void tp_state_reset(TypePropState *state) {
 	state->str_flag = false;
 	state->prop = false;
 	state->prev_dest = NULL;
+	state->prev_var = NULL;
+	state->userfnc = false;
+	memset (state->prev_type, 0, sizeof (state->prev_type));
 }
 
 static inline void tp_state_fini(TypePropState *state) {
@@ -1440,6 +1443,9 @@ R_API void r_anal_type_match(RAnal *anal, RAnalFunction *fcn) {
 			retries--;
 			goto repeat;
 		}
+		R_FREE (tp_state.ret_type);
+		R_FREE (tp_state.ret_reg);
+		tp_state.resolved = false;
 		ut64 bb_addr = bb->addr;
 		ut64 bb_size = bb->size;
 		const ut64 buf_size = bb->size + 32;
@@ -1659,7 +1665,7 @@ R_API void r_anal_type_match(RAnal *anal, RAnalFunction *fcn) {
 			// Type propagation using instruction access pattern
 			if (var) {
 				bool sign = false;
-				if ((type == R_ANAL_OP_TYPE_CMP) && next_op) {
+				if ((type == R_ANAL_OP_TYPE_CMP) && next_op && (next_op->type == R_ANAL_OP_TYPE_CJMP)) {
 					if (next_op->sign) {
 						sign = true;
 					} else {

diff --git a/libr/core/casm.c b/libr/core/casm.c
@@ -570,7 +570,7 @@ R_API RList *r_core_asm_bwdisassemble(RCore *core, ut64 addr, int n, int len) {
 
 	r_asm_set_pc (core->rasm, at);
 	for (hit_count = 0; hit_count < n; hit_count++) {
-		RAnalOp op;
+		RAnalOp op = {0};
 		int instrlen = r_asm_disassemble (core->rasm, &op,
 			buf + len - addrbytes * (addr - at), addrbytes * (addr - at));
 		add_hit_to_hits (hits, at, instrlen, true);