From 4d018c070dda85368d71f4c167dc5d7b2798b497 Mon Sep 17 00:00:00 2001
From: ttxine <ttxinee@outlook.com>
Date: Tue, 17 Oct 2023 15:42:56 +0300
Subject: [PATCH] le: Fix segfault in le.c

---
 librz/bin/format/le/le.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/librz/bin/format/le/le.c b/librz/bin/format/le/le.c
index 1f1208acc83..905ba50c610 100644
--- a/librz/bin/format/le/le.c
+++ b/librz/bin/format/le/le.c
@@ -805,6 +805,12 @@ static RZ_OWN LE_page *le_load_pages(rz_bin_le_obj_t *bin) {
 	// assign object number to pages, calculate vaddr
 	for (ut32 oi = 0; oi < h->objcnt; oi++) {
 		LE_object *obj = &bin->objects[oi];
+		if (obj->page_tbl_idx > obj->page_tbl_entries) {
+			RZ_LOG_WARN("LE: object #%u page table index is greater than "
+					"entries count %u > %u, skipping its pages.\n",
+				oi + 1, obj->page_tbl_idx, obj->page_tbl_entries);
+			continue;
+		}
 		ut32 voff = 0;
 		LE_page *page = &le_pages[obj->page_tbl_idx - 1];
 		for (ut32 i = 0; i < obj->page_tbl_entries; i++, page++) {
@@ -1015,7 +1021,7 @@ static RzVector /*<LE_map>*/ *le_create_maps(rz_bin_le_obj_t *bin) {
 		LE_map m = { .obj_num = oi + 1 };
 		size_t len_before = rz_vector_len(le_maps);
 		ut32 beg = obj->page_tbl_idx - 1, end = beg + obj->page_tbl_entries;
-		for (ut32 pi = beg; pi != end; pi++) {
+		for (ut32 pi = beg; pi < end; pi++) {
 			LE_page *page = &bin->le_pages[pi];
 			m.first_page_num = pi + 1;
 			if (page->type == PAGE_LEGAL) {