fix #2970 - oob read in coresymbolication.c and in bin_dyldcache.c

rizinorg · Aug 23, 2022 · d132e21 · d132e21
1 parent 47a7326
commit d132e21
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/librz/bin/format/mach0/coresymbolication.c b/librz/bin/format/mach0/coresymbolication.c
@@ -199,7 +199,7 @@ RZ_API RzCoreSymCacheElement *rz_coresym_cache_element_new(RzBinFile *bf, RzBuff
 			RzCoreSymCacheElementSegment *seg = &result->segments[i];
 			seg->paddr = seg->vaddr = rz_read_le64(cursor);
 			cursor += 8;
-			if (cursor >= end) {
+			if ((cursor + 8) >= end) {
 				goto beach;
 			}
 			seg->size = seg->vsize = rz_read_le64(cursor);

diff --git a/librz/bin/p/bin_dyldcache.c b/librz/bin/p/bin_dyldcache.c
@@ -434,6 +434,11 @@ static RzList *classes(RzBinFile *bf) {
 			ut8 *pointers_end = pointers + sections[i].size;
 
 			for (; cursor < pointers_end; cursor += 8) {
+				if ((cursor + 8) > pointers_end) {
+					MACH0_(mach0_free)
+					(mach0);
+					goto beach;
+				}
 				ut64 pointer_to_class = rz_read_le64(cursor);
 
 				RzBinClass *klass;