From ae77fd60bbdfda439b44564873fb2a96a3d02283 Mon Sep 17 00:00:00 2001
From: John Reiser <jreiser@BitWagon.com>
Date: Fri, 17 Nov 2023 07:23:11 -0800
Subject: [PATCH] initial headway is limited by both file_size and
 mhcmdi.sizeofcmds

https://github.com/upx/upx/issues/732
	modified:   p_mach.cpp
---
 src/p_mach.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/p_mach.cpp b/src/p_mach.cpp
index 7878916c..fb1fcbf6 100644
--- a/src/p_mach.cpp
+++ b/src/p_mach.cpp
@@ -1952,7 +1952,7 @@ tribool PackMachBase<T>::canPack()
         throwCantPack("256 < Mach_header.ncmds");
     }
     unsigned const sz_mhcmds = (unsigned)mhdri.sizeofcmds;
-    unsigned headway = file_size - sizeof(mhdri);
+    unsigned headway = umin(sz_mhcmds, file_size - sizeof(mhdri));
     if (headway < sz_mhcmds) {
         char buf[32]; snprintf(buf, sizeof(buf), "bad sizeofcmds %d", sz_mhcmds);
         throwCantPack(buf);
@@ -1961,7 +1961,7 @@ tribool PackMachBase<T>::canPack()
     ||  32768 < sz_mhcmds) { // somewhat arbitrary, but *-darwin.macho-upxmain.c
         throwCantPack("32768 < Mach_header.sizeofcmds (or ==0)");
     }
-    rawmseg_buf.alloc(sz_mhcmds);
+    rawmseg_buf.alloc(headway);
     rawmseg = (Mach_segment_command *)(void *)rawmseg_buf;
     fi->readx(rawmseg, mhdri.sizeofcmds);