void MACH0_(iterate_chained_fixups) in libr/bin/format/mach0/mach0.c once caused NULL Pointer Dereference by visiting a MACH0_(obj_t) pointer directly.
ut16 page_start = obj->chained_starts[i]->page_start[page_idx];
It was fixed in Commit a5aafb9
+ if (!bin->chained_starts[i]->page_start) {
+ break;
+ }
ut16 page_start = bin->chained_starts[i]->page_start[page_idx];Similar Issue
rebase_buffer_fixup in libr/bin/p/bin_xnu_kernelcache.c contains a similar logic
struct MACH0_(obj_t) *obj = kobj->mach0;
...
ut64 page_size = obj->chained_starts[i]->page_size;Would it make sense to fix it by adding the pointer check in the same way Commit a5aafb9 did?
Thank you for spending time reading this issue. Apologies if I missed anything.
CVE-2022-1649
void MACH0_(iterate_chained_fixups)inlibr/bin/format/mach0/mach0.conce caused NULL Pointer Dereference by visiting aMACH0_(obj_t)pointer directly.It was fixed in Commit a5aafb9
Similar Issue
rebase_buffer_fixupinlibr/bin/p/bin_xnu_kernelcache.ccontains a similar logicWould it make sense to fix it by adding the pointer check in the same way Commit a5aafb9 did?
Thank you for spending time reading this issue. Apologies if I missed anything.