diff options
| author | Jonas Devlieghere <jonas@devlieghere.com> | 2017-09-13 13:43:01 +0000 |
|---|---|---|
| committer | Jonas Devlieghere <jonas@devlieghere.com> | 2017-09-13 13:43:01 +0000 |
| commit | 81f5abe1add34519bcede582b6b1ca3d6ed895c1 (patch) | |
| tree | fafd5e04f6b0f426ce622f12d4cafb92dd176246 /llvm/lib/Object/MachOObjectFile.cpp | |
| parent | 35f4d7ca463903b3c12c1a00cdd1badb9ef2ca08 (diff) | |
| download | bcm5719-llvm-81f5abe1add34519bcede582b6b1ca3d6ed895c1.tar.gz bcm5719-llvm-81f5abe1add34519bcede582b6b1ca3d6ed895c1.zip | |
[MachO] Prevent heap overflow when load command extends past EOF
This patch fixes a heap-buffer-overflow when a malformed Mach-O has a
load command who's size extends past the end of the binary.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3225
Differential revision: https://reviews.llvm.org/D37439
llvm-svn: 313145
Diffstat (limited to 'llvm/lib/Object/MachOObjectFile.cpp')
| -rw-r--r-- | llvm/lib/Object/MachOObjectFile.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/llvm/lib/Object/MachOObjectFile.cpp b/llvm/lib/Object/MachOObjectFile.cpp index a32533b003b..b943c4063d6 100644 --- a/llvm/lib/Object/MachOObjectFile.cpp +++ b/llvm/lib/Object/MachOObjectFile.cpp @@ -183,6 +183,9 @@ static Expected<MachOObjectFile::LoadCommandInfo> getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr, uint32_t LoadCommandIndex) { if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) { + if (CmdOrErr->cmdsize + Ptr > Obj.getData().end()) + return malformedError("load command " + Twine(LoadCommandIndex) + + " extends past end of file"); if (CmdOrErr->cmdsize < 8) return malformedError("load command " + Twine(LoadCommandIndex) + " with size less than 8 bytes"); @@ -800,7 +803,7 @@ static Error checkNoteCommand(const MachOObjectFile &Obj, uint32_t LoadCommandIndex, std::list<MachOElement> &Elements) { if (Load.C.cmdsize != sizeof(MachO::note_command)) - return malformedError("load command " + Twine(LoadCommandIndex) + + return malformedError("load command " + Twine(LoadCommandIndex) + " LC_NOTE has incorrect cmdsize"); MachO::note_command Nt = getStruct<MachO::note_command>(Obj, Load.Ptr); uint64_t FileSize = Obj.getData().size(); |
