Fix #6647 - check map bounds in the pebble bin loader ##bin

libr/bin/p/bin_pebble.c

@@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2014-2019 - pancake */
+/* radare - LGPL - Copyright 2014-2022 - pancake */
 
 #include <r_types.h>
 #include <r_util.h>
@@ -102,13 +102,21 @@ static RList* sections(RBinFile *bf) {
 		return ret;
 	}
 	ptr->name = strdup ("relocs");
-	ptr->vsize = ptr->size = pai.num_reloc_entries * sizeof (ut32);
-	ptr->vaddr = ptr->paddr = pai.reloc_list_start;
-	ptr->perm = R_PERM_RW;
-	ptr->add = true;
-	r_list_append (ret, ptr);
-	if (ptr->vaddr < textsize) {
-		textsize = ptr->vaddr;
+	ut64 sz = pai.num_reloc_entries * sizeof (ut32);
+	ut64 ss = pai.reloc_list_start;
+	if (ss < r_buf_size (bf->buf)) {
+		if (ss + sz >= r_buf_size (bf->buf)) {
+			ut64 left = r_buf_size (bf->buf) - ss;
+			sz = left;
+		}
+		ptr->vaddr = ptr->paddr = ss;
+		ptr->vsize = ptr->size = sz;
+		ptr->perm = R_PERM_RWX;
+		ptr->add = true;
+		r_list_append (ret, ptr);
+		if (ptr->vaddr < textsize) {
+			textsize = ptr->vaddr;
+		}
 	}
 
 	// imho this must be a symbol

test/db/formats/pebble

@@ -0,0 +1,29 @@
+NAME=Pebble: Open/iI
+FILE=bins/pebble/pebble-app.bin
+CMDS=iI~?pebble
+EXPECT=<<EOF
+1
+EOF
+RUN
+
+NAME=Pebble: page perms
+FILE=bins/pebble/pebble-app.bin
+CMDS=<<EOF
+aaa
+aflc
+EOF
+EXPECT=<<EOF
+65
+EOF
+RUN
+
+NAME=Pebble: negative region bug
+FILE=bins/pebble/pebble-app2.bin
+CMDS=<<EOF
+om
+EOF
+EXPECT=<<EOF
+* 2 fd: 3 +0x00000000 0x00000000 - 0x000000d7 r-x fmap.relocs
+- 1 fd: 3 +0x00000000 0x00000000 - 0x0000007b r-- fmap.header
+EOF
+RUN

test/db/formats/peeble

@@ -1,7 +0,0 @@
-NAME=Peeble: Open/iI
-FILE=bins/pebble/pebble-app.bin
-CMDS=iI~?pebble
-EXPECT=<<EOF
-1
-EOF
-RUN