From c40a4f9862104ede15d0ba05ccbf805923070778 Mon Sep 17 00:00:00 2001
From: pancake <pancake@nopcode.org>
Date: Tue, 5 Apr 2022 11:44:46 +0200
Subject: [PATCH] Fix another oobread segfault in the NE bin parser ##crash

* Reported by @han0nly via huntr.dev
* Reproducers: sample1 sample2 sample3
* BountyID: 47422cdf-aad2-4405-a6a1-6f63a3a93200
---
 libr/bin/format/ne/ne.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libr/bin/format/ne/ne.c b/libr/bin/format/ne/ne.c
index 210fe036925f6..ad7c86be17f47 100644
--- a/libr/bin/format/ne/ne.c
+++ b/libr/bin/format/ne/ne.c
@@ -374,6 +374,9 @@ RList *r_bin_ne_get_entrypoints(r_bin_ne_obj_t *bin) {
 	}
 	int off = 0;
 	while (off < bin->ne_header->EntryTableLength) {
+		if (bin->entry_table + off + 32 >= r_buf_size (bin->buf)) {
+			break;
+		}
 		ut8 bundle_length = *(ut8 *)(bin->entry_table + off);
 		if (!bundle_length) {
 			break;
@@ -398,7 +401,9 @@ RList *r_bin_ne_get_entrypoints(r_bin_ne_obj_t *bin) {
 				ut8 segnum = *(bin->entry_table + off);
 				off++;
 				ut16 segoff = *(ut16 *)(bin->entry_table + off);
-				entry->paddr = (ut64)bin->segment_entries[segnum - 1].offset * bin->alignment + segoff;
+				if (segnum > 0) {
+					entry->paddr = (ut64)bin->segment_entries[segnum - 1].offset * bin->alignment + segoff;
+				}
 			} else { // Fixed
 				entry->paddr = (ut64)bin->segment_entries[bundle_type - 1].offset * bin->alignment + *(ut16 *)(bin->entry_table + off);
 			}