Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix oob write in dyldcache
When the individual n_slide_infos were too high, the sum would overflow
and too few entries would be allocated.
  • Loading branch information
thestr4ng3r authored and wargio committed Aug 17, 2022
1 parent 0e86b74 commit 556ca2f
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions librz/bin/format/mach0/dyldcache.c
Expand Up @@ -995,7 +995,7 @@ static RzDyldRebaseInfos *get_rebase_infos(RzDyldCache *cache) {
}

if (!cache->hdr->slideInfoOffset || !cache->hdr->slideInfoSize) {
ut32 total_slide_infos = 0;
size_t total_slide_infos = 0;
ut32 n_slide_infos[MAX_N_HDR];

ut32 i;
Expand All @@ -1004,7 +1004,12 @@ static RzDyldRebaseInfos *get_rebase_infos(RzDyldCache *cache) {
if (!rz_buf_read_le32_at(cache->buf, 0x13c + hdr_offset, &n_slide_infos[i])) {
goto beach;
}
total_slide_infos += n_slide_infos[i];
ut32 total = total_slide_infos + n_slide_infos[i];
if (total < total_slide_infos) {
// overflow
goto beach;
}
total_slide_infos = total;
}

if (!total_slide_infos) {
Expand Down

0 comments on commit 556ca2f

Please sign in to comment.