From 2b77b277d67ce061ee6ef839e7139ebc2103c1e3 Mon Sep 17 00:00:00 2001
From: pancake <pancake@nopcode.org>
Date: Tue, 5 Apr 2022 19:39:26 +0200
Subject: [PATCH] Fix oobread in dyldcache ##crash

* Reported by @hdthky via huntr.dev
* Reproducers: poc1
* BountyID: 8ae2c61a-2220-47a5-bfe8-fe6d41ab1f82
---
 libr/bin/format/mach0/dyldcache.h | 2 +-
 libr/bin/p/bin_dyldcache.c        | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/libr/bin/format/mach0/dyldcache.h b/libr/bin/format/mach0/dyldcache.h
index 9f00182cd2d4d..21e598abb31c8 100644
--- a/libr/bin/format/mach0/dyldcache.h
+++ b/libr/bin/format/mach0/dyldcache.h
@@ -1,4 +1,4 @@
-/* radare - LGPL - Copyright 2009-2010 nibble<.ds@gmail.com> */
+/* radare - LGPL - Copyright 2009-2022 nibble, pancake */
 
 #include <r_types.h>
 #include "mach0_specs.h"
diff --git a/libr/bin/p/bin_dyldcache.c b/libr/bin/p/bin_dyldcache.c
index 0dc9d16a6deee..0d9af87a9fffb 100644
--- a/libr/bin/p/bin_dyldcache.c
+++ b/libr/bin/p/bin_dyldcache.c
@@ -1247,7 +1247,8 @@ static RList *create_cache_bins(RBinFile *bf, RDyldCache *cache) {
 			if (deps && !deps[j]) {
 				continue;
 			}
-			ut64 pa = va2pa (img[j].address, hdr->mappingCount, &cache->maps[maps_index], cache->buf, 0, NULL, NULL);
+			// ut64 pa = va2pa (img[j].address, hdr->mappingCount, &cache->maps[maps_index], cache->buf, 0, NULL, NULL);
+			ut64 pa = va2pa (img[j].address, cache->n_maps, &cache->maps[maps_index], cache->buf, 0, NULL, NULL);
 			if (pa == UT64_MAX) {
 				continue;
 			}