From 9650e3c352f675687bf6c6f65ff2c4a3d0e288fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sergi=20=C3=80lvarez=20i=20Capilla?= <pancake@nowsecure.com>
Date: Mon, 7 Feb 2022 21:21:21 +0100
Subject: [PATCH] Fix oobread segfault in java arith8.class ##crash

* Reported by Cen Zhang via huntr.dev
---
 shlr/java/class.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/shlr/java/class.c b/shlr/java/class.c
index abdee3bf46d3a..2fe6465b6cc94 100644
--- a/shlr/java/class.c
+++ b/shlr/java/class.c
@@ -3733,6 +3733,10 @@ R_API RBinJavaAttrInfo *r_bin_java_inner_classes_attr_new(RBinJavaObj *bin, ut8
 	ut64 offset = 0, curpos;
 	attr = r_bin_java_default_attr_new (bin, buffer, sz, buf_offset);
 	offset += 6;
+	if (buf_offset + offset + 8 > sz) {
+		eprintf ("Invalid amount of inner classes\n");
+		return NULL;
+	}
 	if (attr == NULL) {
 		// TODO eprintf
 		return attr;
@@ -3743,7 +3747,7 @@ R_API RBinJavaAttrInfo *r_bin_java_inner_classes_attr_new(RBinJavaObj *bin, ut8
 	attr->info.inner_classes_attr.classes = r_list_newf (r_bin_java_inner_classes_attr_entry_free);
 	for (i = 0; i < attr->info.inner_classes_attr.number_of_classes; i++) {
 		curpos = buf_offset + offset;
-		if (offset + 8 > sz) {
+		if (buf_offset + offset + 8 > sz) {
 			eprintf ("Invalid amount of inner classes\n");
 			break;
 		}