nicolas/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Object] Verify object sizes before handing out StringRefs pointing out

Browse Source 
of bounds.

This can only happen on corrupt input. Found by OSS-FUZZ!
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3228

llvm-svn: 312235
This commit is contained in:
Benjamin Kramer
2017-08-31 12:27:10 +00:00
parent 42f8bfc056
commit cbc7ee45f9
5 changed files with 24 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
llvm/lib/Object/COFFObjectFile.cpp
View File

@@ -52,16 +52,6 @@ static bool checkSize(MemoryBufferRef M, std::error_code &EC, uint64_t Size) {
return true;
}
static std::error_code checkOffset(MemoryBufferRef M, uintptr_t Addr,
const uint64_t Size) {
if (Addr + Size < Addr || Addr + Size < Size ||
Addr + Size > uintptr_t(M.getBufferEnd()) ||
Addr < uintptr_t(M.getBufferStart())) {
return object_error::unexpected_eof;
}
return std::error_code();
}
// Sets Obj unless any bytes in [addr, addr + size) fall outsize of m.
// Returns unexpected_eof if error.
template <typename T>
@@ -69,7 +59,7 @@ static std::error_code getObject(const T *&Obj, MemoryBufferRef M,
const void *Ptr,
const uint64_t Size = sizeof(T)) {
uintptr_t Addr = uintptr_t(Ptr);
if (std::error_code EC = checkOffset(M, Addr, Size))
if (std::error_code EC = Binary::checkOffset(M, Addr, Size))
return EC;
Obj = reinterpret_cast<const T *>(Addr);
return std::error_code();
@@ -383,7 +373,8 @@ getFirstReloc(const coff_section *Sec, MemoryBufferRef M, const uint8_t *Base) {
// relocations.
begin++;
}
if (checkOffset(M, uintptr_t(begin), sizeof(coff_relocation) * NumRelocs))
if (Binary::checkOffset(M, uintptr_t(begin),
sizeof(coff_relocation) * NumRelocs))
return nullptr;
return begin;
}