fix #2956 - oob write in mach0.c

rizinorg · Aug 30, 2022 · eeaf7c6 · eeaf7c6
1 parent 2e3c0ae
commit eeaf7c6
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/librz/bin/format/mach0/mach0.c b/librz/bin/format/mach0/mach0.c
@@ -1597,7 +1597,7 @@ static bool reconstruct_chained_fixup(struct MACH0_(obj_t) * bin) {
 						cur_seg->page_size = ps;
 						cur_seg->page_count = ((bin->segs[seg_idx].vmsize + (ps - 1)) & ~(ps - 1)) / ps;
 						if (cur_seg->page_count > 0) {
-							cur_seg->page_start = malloc(sizeof(ut16) * cur_seg->page_count);
+							cur_seg->page_start = RZ_NEWS0(ut16, cur_seg->page_count);
 							if (!cur_seg->page_start) {
 								break;
 							}
@@ -1607,8 +1607,7 @@ static bool reconstruct_chained_fixup(struct MACH0_(obj_t) * bin) {
 				}
 				if (cur_seg) {
 					ut32 page_index = (ut32)(seg_off / ps);
-					size_t maxsize = cur_seg->page_count * sizeof(ut16);
-					if (page_index < maxsize) {
+					if (page_index < cur_seg->page_count) {
 						cur_seg->page_start[page_index] = seg_off & 0xfff;
 					}
 				}