From 4bbc6b55e7bc13b04eb7e47f6cc6df17e508a270 Mon Sep 17 00:00:00 2001 From: Sam Clegg Date: Fri, 18 May 2018 21:08:26 +0000 Subject: [WebAssembly] Object: Add more error checking for object file reading This should address some the assert failures the fuzzer has been finding such as: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6719 Differential Revision: https://reviews.llvm.org/D47046 llvm-svn: 332769 --- llvm/lib/Object/WasmObjectFile.cpp | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'llvm/lib/Object/WasmObjectFile.cpp') diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp index f6e2d92c031..d15ff943eb6 100644 --- a/llvm/lib/Object/WasmObjectFile.cpp +++ b/llvm/lib/Object/WasmObjectFile.cpp @@ -112,19 +112,22 @@ static int64_t readLEB128(const uint8_t *&Ptr) { static uint8_t readVaruint1(const uint8_t *&Ptr) { int64_t result = readLEB128(Ptr); - assert(result <= VARUINT1_MAX && result >= 0); + if (result > VARUINT1_MAX || result < 0) + report_fatal_error("LEB is outside Varuint1 range"); return result; } static int32_t readVarint32(const uint8_t *&Ptr) { int64_t result = readLEB128(Ptr); - assert(result <= INT32_MAX && result >= INT32_MIN); + if (result > INT32_MAX || result < INT32_MIN) + report_fatal_error("LEB is outside Varint32 range"); return result; } static uint32_t readVaruint32(const uint8_t *&Ptr) { uint64_t result = readULEB128(Ptr); - assert(result <= UINT32_MAX); + if (result > UINT32_MAX) + report_fatal_error("LEB is outside Varuint32 range"); return result; } @@ -955,6 +958,9 @@ Error WasmObjectFile::parseDataSection(const uint8_t *Ptr, const uint8_t *End) { if (Error Err = readInitExpr(Segment.Data.Offset, Ptr)) return Err; uint32_t Size = readVaruint32(Ptr); + if (Size > End - Ptr) + return make_error("Invalid segment size", + object_error::parse_failed); Segment.Data.Content = ArrayRef(Ptr, Size); // The rest of these Data fields are set later, when reading in the linking // metadata section. -- cgit v1.2.3