From 76d66123b27d7e49fa15a347c006ef9454069614 Mon Sep 17 00:00:00 2001
From: Michael Trent <mtrent@apple.com>
Date: Mon, 11 Mar 2019 18:29:25 +0000
Subject: Detect malformed LC_LINKER_COMMANDs in Mach-O binaries

Summary:
llvm-objdump can be tricked into reading beyond valid memory and
segfaulting if LC_LINKER_COMMAND strings are not null terminated. libObject
does have code to validate the integrity of the LC_LINKER_COMMAND struct,
but this validator improperly assumes linker command strings are null
terminated.

The solution is to report an error if a string extends beyond the end of
the LC_LINKER_COMMAND struct.

Reviewers: lhames, pete

Reviewed By: pete

Subscribers: rupprecht, llvm-commits

Tags: #llvm

Differential Revision: https://reviews.llvm.org/D59179

llvm-svn: 355851
---
 llvm/lib/Object/MachOObjectFile.cpp | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'llvm/lib/Object/MachOObjectFile.cpp')

diff --git a/llvm/lib/Object/MachOObjectFile.cpp b/llvm/lib/Object/MachOObjectFile.cpp
index c68bb5d8d02..456c6369d1c 100644
--- a/llvm/lib/Object/MachOObjectFile.cpp
+++ b/llvm/lib/Object/MachOObjectFile.cpp
@@ -918,6 +918,10 @@ static Error checkLinkerOptCommand(const MachOObjectFile &Obj,
     if (left > 0) {
       i++;
       uint32_t NullPos = StringRef(string, left).find('\0');
+      if (0xffffffff == NullPos)
+        return malformedError("load command " + Twine(LoadCommandIndex) +
+                              " LC_LINKER_OPTION string #" + Twine(i) +
+                              " is not NULL terminated");
       uint32_t len = std::min(NullPos, left) + 1;
       string += len;
       left -= len;
-- 
cgit v1.2.3