Check Mach_header.ncmds at unpack

https://github.com/upx/upx/issues/563 modified: p_mach.cpp
2022-02-25 09:32:29 -08:00 · 2022-02-25 09:32:29 -08:00 · 651155c64d
commit 651155c64d
parent 660aee6d22
1 changed files with 5 additions and 0 deletions
--- a/src/p_mach.cpp
+++ b/src/p_mach.cpp
@ -1508,6 +1508,11 @@ void PackMachBase<T>::unpack(OutputFile *fo)
        throwCantUnpack("file header corrupted");
    unsigned const ncmds = mhdr->ncmds;

+    if (!ncmds || 24 < ncmds) { // arbitrary limit
+        char msg[40]; snprintf(msg, sizeof(msg),
+            "bad Mach_header.ncmds = %d", ncmds);
+        throwCantUnpack(msg);
+    }
    msegcmd_buf.alloc(sizeof(Mach_segment_command) * ncmds);
    msegcmd = (Mach_segment_command *)msegcmd_buf.getVoidPtr();
    unsigned char const *ptr = (unsigned char const *)(1+mhdr);