[PATCH] [Request, 10 lines] D25081: [Object/ELF] - Do not crash on invalid section index.

George Rimar via llvm-commits llvm-commits at lists.llvm.org
Fri Sep 30 02:10:58 PDT 2016 

grimar created this revision.
grimar added reviewers: rafael, davide.
grimar added subscribers: llvm-commits, grimar, evgeny777.

If object has wrong (large) string table index and
also incorrect large value for amount of sections in total,
then section index passes the check:

    if (Index >= getNumSections())
      return object_error::invalid_section_index;
  	

But result pointer then is far after end of file data, what
result in a crash.

Patch fixes the issue.


https://reviews.llvm.org/D25081

Files:
  include/llvm/Object/ELF.h
  test/Object/Inputs/invalid-section-index2.elf
  test/Object/invalid.test


Index: test/Object/invalid.test
===================================================================
--- test/Object/invalid.test
+++ test/Object/invalid.test
@@ -41,7 +41,7 @@
 INVALID-DYNSYM-SIZE: Invalid entity size
 
 RUN: not llvm-readobj -t %p/Inputs/invalid-section-index.elf 2>&1 | FileCheck --check-prefix=INVALID-SECTION-INDEX %s
-
+RUN: not llvm-readobj -t %p/Inputs/invalid-section-index2.elf 2>&1 | FileCheck --check-prefix=INVALID-SECTION-INDEX %s
 INVALID-SECTION-INDEX: Invalid section index
 
 RUN: not llvm-readobj -s %p/Inputs/invalid-section-size.elf 2>&1 | FileCheck --check-prefix=INVALID-SECTION-SIZE %s
Index: include/llvm/Object/ELF.h
===================================================================
--- include/llvm/Object/ELF.h
+++ include/llvm/Object/ELF.h
@@ -425,9 +425,11 @@
   if (Index >= getNumSections())
     return object_error::invalid_section_index;
 
-  return reinterpret_cast<const Elf_Shdr *>(
-      reinterpret_cast<const char *>(SectionHeaderTable) +
-      (Index * Header->e_shentsize));
+  const uint8_t *Addr = reinterpret_cast<const uint8_t *>(SectionHeaderTable) +
+                        (Index * Header->e_shentsize);
+  if (Addr >= base() + getBufSize())
+    return object_error::invalid_section_index;
+  return reinterpret_cast<const Elf_Shdr *>(Addr);
 }
 
 template <class ELFT>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D25081.73010.patch
Type: text/x-patch
Size: 1364 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20160930/85289ba9/attachment.bin>

More information about the llvm-commits mailing list