From d132e21b810d531d305ac9c895230df2a6b623ac Mon Sep 17 00:00:00 2001
From: wargio <wargio@libero.it>
Date: Tue, 23 Aug 2022 12:12:14 +0200
Subject: [PATCH] fix #2970 - oob read in coresymbolication.c and in
 bin_dyldcache.c

---
 librz/bin/format/mach0/coresymbolication.c | 2 +-
 librz/bin/p/bin_dyldcache.c                | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/librz/bin/format/mach0/coresymbolication.c b/librz/bin/format/mach0/coresymbolication.c
index 26363c3da4c..8d638c8bf39 100644
--- a/librz/bin/format/mach0/coresymbolication.c
+++ b/librz/bin/format/mach0/coresymbolication.c
@@ -199,7 +199,7 @@ RZ_API RzCoreSymCacheElement *rz_coresym_cache_element_new(RzBinFile *bf, RzBuff
 			RzCoreSymCacheElementSegment *seg = &result->segments[i];
 			seg->paddr = seg->vaddr = rz_read_le64(cursor);
 			cursor += 8;
-			if (cursor >= end) {
+			if ((cursor + 8) >= end) {
 				goto beach;
 			}
 			seg->size = seg->vsize = rz_read_le64(cursor);
diff --git a/librz/bin/p/bin_dyldcache.c b/librz/bin/p/bin_dyldcache.c
index a7d8ea48edc..18678a309be 100644
--- a/librz/bin/p/bin_dyldcache.c
+++ b/librz/bin/p/bin_dyldcache.c
@@ -434,6 +434,11 @@ static RzList *classes(RzBinFile *bf) {
 			ut8 *pointers_end = pointers + sections[i].size;
 
 			for (; cursor < pointers_end; cursor += 8) {
+				if ((cursor + 8) > pointers_end) {
+					MACH0_(mach0_free)
+					(mach0);
+					goto beach;
+				}
 				ut64 pointer_to_class = rz_read_le64(cursor);
 
 				RzBinClass *klass;