RPCS3/llvm
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm.git synced 2024-12-11 05:35:11 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[MachO] Prevent heap overflow when load command extends past EOF

Browse Source 
This patch fixes a heap-buffer-overflow when a malformed Mach-O has a
load command who's size extends past the end of the binary.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3225

Differential revision: https://reviews.llvm.org/D37439

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@313145 91177308-0d34-0410-b5e6-96231b3b80d8
This commit is contained in:
Jonas Devlieghere 2017-09-13 13:43:01 +00:00
parent 8a07ca8969
commit 143e1f1682
3 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/Object/MachOObjectFile.cpp
View File

@ -183,6 +183,9 @@ static Expected<MachOObjectFile::LoadCommandInfo>
getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr,
uint32_t LoadCommandIndex) {
if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) {
if (CmdOrErr->cmdsize + Ptr > Obj.getData().end())
return malformedError("load command " + Twine(LoadCommandIndex) +
" extends past end of file");
if (CmdOrErr->cmdsize < 8)
return malformedError("load command " + Twine(LoadCommandIndex) +
" with size less than 8 bytes");
@ -800,7 +803,7 @@ static Error checkNoteCommand(const MachOObjectFile &Obj,
uint32_t LoadCommandIndex,
std::list<MachOElement> &Elements) {
if (Load.C.cmdsize != sizeof(MachO::note_command))
return malformedError("load command " + Twine(LoadCommandIndex) +
return malformedError("load command " + Twine(LoadCommandIndex) +
" LC_NOTE has incorrect cmdsize");
MachO::note_command Nt = getStruct<MachO::note_command>(Obj, Load.Ptr);
uint64_t FileSize = Obj.getData().size();

BIN
test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof Normal file
View File

Binary file not shown.

3
test/Object/macho-invalid.test
View File

@ -284,6 +284,9 @@ INVALID-DYLIB-WRONG-FILETYPE: macho-invalid-dylib-wrong-filetype': truncated or
RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-no-id 2>&1 | FileCheck -check-prefix INVALID-DYLIB-NO-ID %s
INVALID-DYLIB-NO-ID: macho-invalid-dylib-no-id': truncated or malformed object (no LC_ID_DYLIB load command in dynamic library filetype)
RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-cmdsize-past-eof 2>&1 | FileCheck -check-prefix INVALID-DYLIB-CMDSIZE %s
INVALID-DYLIB-CMDSIZE: macho-invalid-dylib-cmdsize-past-eof': truncated or malformed object (load command 0 extends past end of file)
RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-uuid-more-than-one 2>&1 | FileCheck -check-prefix INVALID-UUID-MORE-THAN-ONE %s
INVALID-UUID-MORE-THAN-ONE: macho-invalid-uuid-more-than-one': truncated or malformed object (more than one LC_UUID command)