From 2f2500e562588bf0b19aed4332880c1323fb6f4d Mon Sep 17 00:00:00 2001 From: George Rimar Date: Thu, 27 Oct 2016 11:50:04 +0000 Subject: [PATCH] [Object/ELF] - Fixed behavior when SectionHeaderTable->sh_size is too large. Elf.h already has code checking that section table does not go past end of file. Problem is that this check may not work on values greater than UINT64_MAX / Header->e_shentsize because of calculation overflow. Parch fixes the issue. Differential revision: https://reviews.llvm.org/D25432 llvm-svn: 285285 --- include/llvm/Object/ELF.h | 6 ++++++ test/Object/Inputs/invalid-sections-num.elf | Bin 0 -> 528 bytes test/Object/invalid.test | 3 +++ 3 files changed, 9 insertions(+) create mode 100644 test/Object/Inputs/invalid-sections-num.elf diff --git a/include/llvm/Object/ELF.h b/include/llvm/Object/ELF.h index d1de25d2821..2c715bffa2f 100644 --- a/include/llvm/Object/ELF.h +++ b/include/llvm/Object/ELF.h @@ -347,6 +347,12 @@ ELFFile::ELFFile(StringRef Object, std::error_code &EC) // The getNumSections() call below depends on SectionHeaderTable being set. SectionHeaderTable = reinterpret_cast(base() + SectionTableOffset); + if (getNumSections() > UINT64_MAX / Header->e_shentsize) { + // Section table goes past end of file! + EC = object_error::parse_failed; + return; + } + const uint64_t SectionTableSize = getNumSections() * Header->e_shentsize; if (SectionTableOffset + SectionTableSize > FileSize) { diff --git a/test/Object/Inputs/invalid-sections-num.elf b/test/Object/Inputs/invalid-sections-num.elf new file mode 100644 index 0000000000000000000000000000000000000000..d8d5bc8fe2baa23001cf28023384dd2843fa464c GIT binary patch literal 528 zcmb<-^>JfjWMpQ50!9Wq21XbMiJpPPb^x;>B$6-+lLyE%U|>QK19S9BQY%Ur^pc8; z8Pf9e8T5)vib@ibfOKUpm`+J7NyOBJOGE*egaA+i?kTXM`(UyFszD7(!zgq=gZLoK z22%i~9nknNE(?sozz1e207;O3R5vg%H~_`)0d}Ay2M{CcQv~uIfEXJ<*b9-B08;Q! WZ$Rj9fHDoBG|Yb>yFdV>4+H=$1`_W8 literal 0 HcmV?d00001 diff --git a/test/Object/invalid.test b/test/Object/invalid.test index a0016fef9d5..dd431aa3a55 100644 --- a/test/Object/invalid.test +++ b/test/Object/invalid.test @@ -76,3 +76,6 @@ INVALID-SEC-ADDRESS-ALIGNMENT: Invalid data was encountered while parsing the fi RUN: not llvm-readobj -t %p/Inputs/invalid-section-size2.elf 2>&1 | \ RUN: FileCheck --check-prefix=INVALID-SECTION-SIZE2 %s INVALID-SECTION-SIZE2: Invalid data was encountered while parsing the file. + +RUN: not llvm-readobj -t %p/Inputs/invalid-sections-num.elf 2>&1 | FileCheck --check-prefix=INVALID-SECTION-NUM %s +INVALID-SECTION-NUM: Invalid data was encountered while parsing the file.