From cbc7ee45f985cfea154b97c6ca40a8ed31f7be70 Mon Sep 17 00:00:00 2001 From: Benjamin Kramer Date: Thu, 31 Aug 2017 12:27:10 +0000 Subject: [Object] Verify object sizes before handing out StringRefs pointing out of bounds. This can only happen on corrupt input. Found by OSS-FUZZ! https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3228 llvm-svn: 312235 --- llvm/lib/Object/COFFObjectFile.cpp | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) (limited to 'llvm/lib/Object/COFFObjectFile.cpp') diff --git a/llvm/lib/Object/COFFObjectFile.cpp b/llvm/lib/Object/COFFObjectFile.cpp index 0a2053477ca..f88ebfc9a1d 100644 --- a/llvm/lib/Object/COFFObjectFile.cpp +++ b/llvm/lib/Object/COFFObjectFile.cpp @@ -52,16 +52,6 @@ static bool checkSize(MemoryBufferRef M, std::error_code &EC, uint64_t Size) { return true; } -static std::error_code checkOffset(MemoryBufferRef M, uintptr_t Addr, - const uint64_t Size) { - if (Addr + Size < Addr || Addr + Size < Size || - Addr + Size > uintptr_t(M.getBufferEnd()) || - Addr < uintptr_t(M.getBufferStart())) { - return object_error::unexpected_eof; - } - return std::error_code(); -} - // Sets Obj unless any bytes in [addr, addr + size) fall outsize of m. // Returns unexpected_eof if error. template @@ -69,7 +59,7 @@ static std::error_code getObject(const T *&Obj, MemoryBufferRef M, const void *Ptr, const uint64_t Size = sizeof(T)) { uintptr_t Addr = uintptr_t(Ptr); - if (std::error_code EC = checkOffset(M, Addr, Size)) + if (std::error_code EC = Binary::checkOffset(M, Addr, Size)) return EC; Obj = reinterpret_cast(Addr); return std::error_code(); @@ -383,7 +373,8 @@ getFirstReloc(const coff_section *Sec, MemoryBufferRef M, const uint8_t *Base) { // relocations. begin++; } - if (checkOffset(M, uintptr_t(begin), sizeof(coff_relocation) * NumRelocs)) + if (Binary::checkOffset(M, uintptr_t(begin), + sizeof(coff_relocation) * NumRelocs)) return nullptr; return begin; } -- cgit v1.2.3