diff -r 2d65c2f76d7b -r 947f0dc9f7a8 kernel/eka/memmodel/epoc/flexible/mcodeseg.cpp
--- a/kernel/eka/memmodel/epoc/flexible/mcodeseg.cpp	Tue Feb 02 01:24:03 2010 +0200
+++ b/kernel/eka/memmodel/epoc/flexible/mcodeseg.cpp	Fri Apr 16 16:24:37 2010 +0300
@@ -221,12 +221,17 @@
 	TInt exportDirSize = iRamInfo.iExportDirCount * sizeof(TLinAddr);
 	if(exportDirSize > 0 || (exportDirSize==0 && (iCodeSeg->iAttr&ECodeSegAttNmdExpData)) )
 		{
+		TLinAddr expDirLoad = iRamInfo.iExportDir - iRamInfo.iCodeRunAddr + iRamInfo.iCodeLoadAddr;
+		if (expDirLoad < iRamInfo.iCodeLoadAddr ||
+			expDirLoad + exportDirSize > iRamInfo.iCodeLoadAddr + iRamInfo.iCodeSize)
+			{// Invalid export section but the loader should have checked this.
+			return KErrCorrupt;
+			}
 		exportDirSize += sizeof(TLinAddr);
 		TLinAddr* expDir = (TLinAddr*)Kern::Alloc(exportDirSize);
 		if(!expDir)
 			return KErrNoMemory;
 		iCopyOfExportDir = expDir;
-		TLinAddr expDirLoad = iRamInfo.iExportDir-iRamInfo.iCodeRunAddr+iRamInfo.iCodeLoadAddr;
 		UNLOCK_USER_MEMORY();
 		memcpy(expDir,(TAny*)(expDirLoad-sizeof(TLinAddr)),exportDirSize);
 		LOCK_USER_MEMORY();