From 9a68723953e42443a8db801401c43b829b4b368f Mon Sep 17 00:00:00 2001
From: dev747368 <48332326+dev747368@users.noreply.github.com>
Date: Fri, 17 Apr 2026 18:26:38 +0000
Subject: [PATCH] GP-6711 img3 and vdex checking

---
 .../file/formats/android/vdex/headers/VdexHeader_006.java  | 3 +++
 .../file/formats/android/vdex/headers/VdexHeader_019.java  | 6 +++++-
 .../file/formats/android/vdex/headers/VdexHeader_021.java  | 6 +++++-
 .../src/main/java/ghidra/file/formats/ios/img3/Img3.java   | 7 +++++--
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_006.java b/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_006.java
index 2940559071..dfbf488cf0 100644
--- a/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_006.java
+++ b/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_006.java
@@ -70,6 +70,9 @@ public class VdexHeader_006 extends VdexHeader {
 			dexHeaderList.add(DexHeaderFactory.getDexHeader(tmpReader));
 			tmpReader.setPointerIndex(0);
 			int length = DexHeaderQuickMethods.getDexLength(tmpReader);
+			if (length <= 0) {
+				throw new IOException("Bad Dex length: " + length);
+			}
 			dexHeaderStartsList.add(index);
 			reader.setPointerIndex(index + length);
 		}
diff --git a/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_019.java b/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_019.java
index 9d48f606b5..ec4187e072 100644
--- a/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_019.java
+++ b/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_019.java
@@ -25,7 +25,8 @@ import ghidra.file.formats.android.dex.DexHeaderFactory;
 import ghidra.file.formats.android.dex.format.DexHeader;
 import ghidra.file.formats.android.vdex.*;
 import ghidra.file.formats.android.vdex.sections.DexSectionHeader_002;
-import ghidra.program.model.data.*;
+import ghidra.program.model.data.DataType;
+import ghidra.program.model.data.Structure;
 import ghidra.util.exception.CancelledException;
 import ghidra.util.exception.DuplicateNameException;
 import ghidra.util.task.TaskMonitor;
@@ -74,6 +75,9 @@ public class VdexHeader_019 extends VdexHeader {
 				DexHeader cdexHeader = DexHeaderFactory.getDexHeader(wrappedReader);
 				dexHeaderList.add(cdexHeader);
 
+				if (cdexHeader.getFileSize() <= 0) {
+					throw new IOException("Bad cdex header length: " + cdexHeader.getFileSize());
+				}
 				reader.setPointerIndex(index + cdexHeader.getFileSize());
 			}
 		}
diff --git a/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_021.java b/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_021.java
index 8334bba7c1..d4cdd2c64a 100644
--- a/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_021.java
+++ b/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/android/vdex/headers/VdexHeader_021.java
@@ -25,7 +25,8 @@ import ghidra.file.formats.android.dex.DexHeaderFactory;
 import ghidra.file.formats.android.dex.format.DexHeader;
 import ghidra.file.formats.android.vdex.*;
 import ghidra.file.formats.android.vdex.sections.DexSectionHeader_002;
-import ghidra.program.model.data.*;
+import ghidra.program.model.data.DataType;
+import ghidra.program.model.data.Structure;
 import ghidra.util.exception.CancelledException;
 import ghidra.util.exception.DuplicateNameException;
 import ghidra.util.task.TaskMonitor;
@@ -79,6 +80,9 @@ public class VdexHeader_021 extends VdexHeader {
 				DexHeader cdexHeader = DexHeaderFactory.getDexHeader(wrappedReader);
 				dexHeaderList.add(cdexHeader);
 
+				if (cdexHeader.getFileSize() <= 0) {
+					throw new IOException("Bad cdex header length: " + cdexHeader.getFileSize());
+				}
 				reader.setPointerIndex(index + cdexHeader.getFileSize());
 			}
 		}
diff --git a/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/ios/img3/Img3.java b/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/ios/img3/Img3.java
index e7d8ccf082..37eb4d5621 100644
--- a/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/ios/img3/Img3.java
+++ b/Ghidra/Features/FileFormats/src/main/java/ghidra/file/formats/ios/img3/Img3.java
@@ -51,8 +51,11 @@ public class Img3 implements StructConverter {
 
 			AbstractImg3Tag tag = Img3TagFactory.get(reader);
 			_tags.add( tag );
-
-			reader.setPointerIndex(index + tag.getTotalLength());
+			int tagLen = tag.getTotalLength();
+			if (tagLen <= 0) {
+				throw new IOException("Bad Img3 tag length: " + tagLen);
+			}
+			reader.setPointerIndex(index + tagLen);
 		}
 	}