Skip to content

Commit

Permalink
fix #2972 - oob read in ne.c
Browse files Browse the repository at this point in the history
  • Loading branch information
@wargio @XVilka
wargio authored and XVilka committed Aug 30, 2022
1 parent a79f980 commit 2eb6ce8
Showing 1 changed file with 16 additions and 7 deletions.
23 changes: 16 additions & 7 deletions librz/bin/format/ne/ne.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -429,26 +429,35 @@ RzList *rz_bin_ne_get_entrypoints(rz_bin_ne_obj_t *bin) {
break;
} else if (bundle_type == 0xFF) { // Moveable
off += 2;
ut8 segnum = *(bin->entry_table + off);
if ((off + 1) >= bin->ne_header->EntryTableLength) {
free(entry);
goto end;
}
ut8 segnum = rz_read_le8(bin->entry_table + off);
off++;
ut16 segoff = *(ut16 *)(bin->entry_table + off);
if (!segnum) {
if ((off + 2) >= bin->ne_header->EntryTableLength) {
free(entry);
goto end;
}
ut16 segoff = rz_read_le16(bin->entry_table + off);
if (!segnum || segnum > bin->ne_header->SegCount) {
free(entry);
continue;
}
entry->paddr = (ut64)bin->segment_entries[segnum - 1].offset * bin->alignment + segoff;
} else { // Fixed
ut16 *p = (ut16 *)(bin->entry_table + off);
if (off >= bin->ne_header->EntryTableLength || bundle_type > bin->ne_header->SegCount) {
ut8 *p = bin->entry_table + off;
if ((off + 2) >= bin->ne_header->EntryTableLength || bundle_type > bin->ne_header->SegCount) {
free(entry);
continue;
goto end;
}
entry->paddr = (ut64)bin->segment_entries[bundle_type - 1].offset * bin->alignment + (*p);
entry->paddr = (ut64)bin->segment_entries[bundle_type - 1].offset * bin->alignment + rz_read_le16(p);
}
off += 2;
rz_list_append(entries, entry);
}
}
end:
rz_list_free(segments);
bin->entries = entries;
return entries;
Expand Down

0 comments on commit 2eb6ce8

Please sign in to comment.