From 2c27fd9b41a8521fd7d785c5238d85905f70cfa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lvaro=20Felipe=20Melchor?= Date: Wed, 23 Nov 2016 20:31:45 +0100 Subject: [PATCH] Fix oob read in parse_signature --- libr/bin/format/mach0/mach0.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libr/bin/format/mach0/mach0.c b/libr/bin/format/mach0/mach0.c index 9978c2a2e8..73ff11246f 100644 --- a/libr/bin/format/mach0/mach0.c +++ b/libr/bin/format/mach0/mach0.c @@ -577,18 +577,19 @@ static bool parse_signature(struct MACH0_(obj_t) *bin, ut64 off) { idx.type = r_read_ble32 (&bi.type, little_); idx.offset = r_read_ble32 (&bi.offset, little_); if (idx.type == CSSLOT_ENTITLEMENTS) { - if (idx.offset > bin->size || idx.offset + sizeof (struct blob_t) > bin->size) { + ut64 off = data + idx.offset; + if (off > bin->size || off + sizeof (struct blob_t) > bin->size) { bin->signature = (ut8 *)strdup ("Malformed entitlement"); break; } struct blob_t entitlements = {}; - entitlements.magic = r_read_ble32 (bin->b->buf + data + idx.offset, little_); - entitlements.length = r_read_ble32 (bin->b->buf + data + idx.offset + 4, little_); + entitlements.magic = r_read_ble32 (bin->b->buf + off, little_); + entitlements.length = r_read_ble32 (bin->b->buf + off + 4, little_); len = entitlements.length - sizeof(struct blob_t); if (len <= bin->size && len > 1) { bin->signature = calloc (1, len + 1); if (bin->signature) { - ut8 *src = bin->b->buf + data + idx.offset + sizeof (struct blob_t); + ut8 *src = bin->b->buf + off + sizeof (struct blob_t); memcpy (bin->signature, src, len); bin->signature[len] = '\0'; return true;