malformed Mach-O for data size > 0x4000

[littledivy]

Found during fuzzing with macho_inject target. To reproduce:

deno bundle jsr:@std/http ./out.js
cd fuzz
cargo +nightly fuzz tmin macho_inject ./out.js

This will truncate the input until the crash stops. It stops at 16394 bytes.

thread '<unnamed>' panicked at fuzz_targets/macho_inject.rs:28:68:
called `Result::unwrap()` on an `Err` value: Os { code: 88, kind: Uncategorized, message: "Malformed Mach-o file" }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
==98137== ERROR: libFuzzer: deadly signal
    #0 0x103549470 in __sanitizer_print_stack_trace+0x28 (librustc-nightly_rt.asan.dylib:arm64+0x59470)
    #1 0x10280c1c4 in fuzzer::PrintStackTrace()+0x30 (macho_inject:arm64+0x1002341c4)
    #2 0x1027ff640 in fuzzer::Fuzzer::CrashCallback()+0x54 (macho_inject:arm64+0x100227640)
    #3 0x185cb1a20 in _sigtramp+0x34 (libsystem_platform.dylib:arm64+0x3a20)
    #4 0x9d5d800185c81cbc  (<unknown module>)
    #5 0xef26000185b8da3c  (<unknown module>)
    #6 0x6604800102877340  (<unknown module>)
    #7 0x1028cb12c in std::process::abort::hc5865c173c9cb8a3+0x8 (macho_inject:arm64+0x1002f312c)
    #8 0x1027fe584 in libfuzzer_sys::initialize::_$u7b$$u7b$closure$u7d$$u7d$::h9fff195eb4396b01+0xb8 (macho_inject:arm64+0x100226584)
    #9 0x10286e338 in std::panicking::rust_panic_with_hook::h892c1914c41e3fd7+0x5c0 (macho_inject:arm64+0x100296338)
    #10 0x10286dd40 in std::panicking::begin_panic_handler::_$u7b$$u7b$closure$u7d$$u7d$::hc89c2eb1135e1250+0x94 (macho_inject:arm64+0x100295d40)
    #11 0x10286b9ec in std::sys_common::backtrace::__rust_end_short_backtrace::ha780f588c27ff0ce+0x8 (macho_inject:arm64+0x1002939ec)
    #12 0x10286dab0 in rust_begin_unwind+0x30 (macho_inject:arm64+0x100295ab0)
    #13 0x1028cccc0 in core::panicking::panic_fmt::h637fcf3fd5c074bd+0x28 (macho_inject:arm64+0x1002f4cc0)
    #14 0x1028cd0c0 in core::result::unwrap_failed::h2cb6513382ff3f1a+0x58 (macho_inject:arm64+0x1002f50c0)
    #15 0x1025ef410 in macho_inject::_::__libfuzzer_sys_run::h17ff2f584b2b23d0 macho_inject.rs:28
    #16 0x1025ee090 in rust_fuzzer_test_input lib.rs:224
    #17 0x1027f8b28 in std::panicking::try::do_call::h88c225ba9b11d770+0xc4 (macho_inject:arm64+0x100220b28)
    #18 0x1027fe800 in __rust_try+0x20 (macho_inject:arm64+0x100226800)
    #19 0x1027fdc3c in LLVMFuzzerTestOneInput+0x16c (macho_inject:arm64+0x100225c3c)
    #20 0x102800f04 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)+0x150 (macho_inject:arm64+0x100228f04)
    #21 0x102802f5c in fuzzer::Fuzzer::MinimizeCrashLoop(std::__1::vector<unsigned char, std::__1::allocator<unsigned char>> const&)+0x128 (macho_inject:arm64+0x10022af5c)
    #22 0x10281fa84 in fuzzer::MinimizeCrashInputInternalStep(fuzzer::Fuzzer*, fuzzer::InputCorpus*)+0xb8 (macho_inject:arm64+0x100247a84)
    #23 0x102822d38 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long))+0x1bc8 (macho_inject:arm64+0x10024ad38)
    #24 0x10282fec4 in main+0x24 (macho_inject:arm64+0x100257ec4)
    #25 0x1859010dc  (<unknown module>)
    #26 0xb849fffffffffffc  (<unknown module>)

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 3 EraseBytes-EraseBytes-EraseBytes-; base unit: 0000000000000000000000000000000000000000
artifact_prefix='/Users/divy/gh/sui/fuzz/artifacts/macho_inject/'; Test unit written to /Users/divy/gh/sui/fuzz/artifacts/macho_inject/minimized-from-7adfff559eeb194fe64de5c1871802f89ba95b46
*********************************
CRASH_MIN: minimizing crash input: '/Users/divy/gh/sui/fuzz/artifacts/macho_inject/minimized-from-7adfff559eeb194fe64de5c1871802f89ba95b46' (16394 bytes)
CRASH_MIN: executing: target/aarch64-apple-darwin/release/macho_inject -artifact_prefix=/Users/divy/gh/sui/fuzz/artifacts/macho_inject/ -runs=255 /Users/divy/gh/sui/fuzz/artifacts/macho_inject/minimized-from-7adfff559eeb194fe64de5c1871802f89ba95b46 2>&1
CRASH_MIN: '/Users/divy/gh/sui/fuzz/artifacts/macho_inject/minimized-from-7adfff559eeb194fe64de5c1871802f89ba95b46' (16394 bytes) caused a crash. Will try to minimize it further
CRASH_MIN: executing: target/aarch64-apple-darwin/release/macho_inject -artifact_prefix=/Users/divy/gh/sui/fuzz/artifacts/macho_inject/ -runs=255 /Users/divy/gh/sui/fuzz/artifacts/macho_inject/minimized-from-7adfff559eeb194fe64de5c1871802f89ba95b46 -minimize_crash_internal_step=1 -exact_artifact_path=/Users/divy/gh/sui/fuzz/artifacts/macho_inject/minimized-from-e6a0ea5423a955500062e9a15e2749e7f65e00fb 2>&1

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 606972269
INFO: Loaded 1 modules   (44515 inline 8-bit counters): 44515 [0x104822270, 0x10482d053),
INFO: Loaded 1 PC tables (44515 PCs): 44515 [0x10482d058,0x1048dae88),
INFO: Starting MinimizeCrashInputInternalStep: 16394
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 16394 bytes
#8	pulse  exec/s: 4 rss: 57Mb
#16	pulse  exec/s: 4 rss: 61Mb
#32	pulse  exec/s: 4 rss: 69Mb
#64	pulse  exec/s: 3 rss: 86Mb
#128	pulse  exec/s: 3 rss: 119Mb
INFO: Done MinimizeCrashInputInternalStep, no crashes found
CRASH_MIN: failed to minimize beyond /Users/divy/gh/sui/fuzz/artifacts/macho_inject/minimized-from-7adfff559eeb194fe64de5c1871802f89ba95b46 (16394 bytes), exiting

This is very close to "0x4000"...our page aligned LINKEDIT slider...which leads me to believe that this is wrong:
https://github.com/littledivy/sui/blob/d9df0e9559b43042104020de84b15c1528d0d25d/lib.rs#L265-L267

[littledivy]

cargo +nightly fuzz run macho_inject artifacts/macho_inject/minimized-from-3cb36cbea7dc687d939d580d45f2eb261f9e9c85