From 1dd65336f0f0c351d6ea853efcf73cf9c0030862 Mon Sep 17 00:00:00 2001
From: pancake <pancake@nowsecure.com>
Date: Sun, 17 Apr 2022 01:06:07 +0200
Subject: [PATCH] Fix oobread bug in NE parser ##crash

* Reported by @cnitlrt via huntrdev
* BountyID: 02b4b563-b946-4343-9092-38d1c5cd60c9
* Reproducer: neoobread
---
 libr/bin/format/mach0/coresymbolication.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/libr/bin/format/mach0/coresymbolication.c b/libr/bin/format/mach0/coresymbolication.c
index f350199550b50..f554898c9401d 100644
--- a/libr/bin/format/mach0/coresymbolication.c
+++ b/libr/bin/format/mach0/coresymbolication.c
@@ -274,12 +274,12 @@ RCoreSymCacheElement *r_coresym_cache_element_new(RBinFile *bf, RBuffer *buf, ut
 				sect->vaddr += page_zero_size;
 			}
 			cursor += word_size;
-			if (cursor >= end) {
+			if (cursor + word_size >= end) {
 				break;
 			}
 			sect->size = r_read_ble (cursor, false, bits);
 			cursor += word_size;
-			if (cursor >= end) {
+			if (cursor + word_size >= end) {
 				break;
 			}
 			ut64 sect_name_off = r_read_ble (cursor, false, bits);
@@ -291,7 +291,11 @@ RCoreSymCacheElement *r_coresym_cache_element_new(RBinFile *bf, RBuffer *buf, ut
 				cursor += word_size;
 			}
 			string_origin = relative_to_strings? b + start_of_strings : sect_start;
-			sect->name = str_dup_safe (b, string_origin + (size_t)sect_name_off, end);
+			if (sect_name_off < (ut64)(size_t)(end - string_origin)) {
+				sect->name = str_dup_safe (b, string_origin + sect_name_off, end);
+			} else {
+				sect->name = strdup ("");
+			}
 		}
 	}
 	if (hdr->n_symbols) {