[PATCH] D25518: [ELF] - Handle broken size field of compressed sections header.

Wed Oct 12 08:54:05 PDT 2016

grimar created this revision.
grimar added reviewers: ruiu, rafael, davide.
grimar added subscribers: llvm-commits, grimar, evgeny777.

Patch fixes issue when 32bit host may have overflow after assigning ch_size to size_t.
Also adds uncompressed section size limit to help in diagnostic of broken inputs.


https://reviews.llvm.org/D25518

Files:
  ELF/InputSection.cpp
  test/ELF/invalid/Inputs/too-large-compressed-sec.elf
  test/ELF/invalid/too-large-compressed-sec.s


Index: test/ELF/invalid/too-large-compressed-sec.s
===================================================================

--- test/ELF/invalid/too-large-compressed-sec.s
+++ test/ELF/invalid/too-large-compressed-sec.s
@@ -0,0 +1,7 @@
+# REQUIRES: x86
+
+## too-large-compressed-sec.elf contains compressed section
+## with broken header containing huge uncompressed section size value.
+# RUN: not ld.lld %S/Inputs/common-symbol-alignment.elf \
+# RUN:   -o %t 2>&1 | FileCheck %s
+# CHECK: uncompressed section size is too large
Index: ELF/InputSection.cpp
===================================================================
--- ELF/InputSection.cpp
+++ ELF/InputSection.cpp
@@ -115,6 +115,10 @@
 
   if (Hdr->ch_type != ELFCOMPRESS_ZLIB)
     fatal(getName(this) + ": unsupported compression type");
+  // We check that uncompressed section size is not greater than 2^40
+  // because it seems to be reasonable limit to protect from broken inputs.
+  if (Hdr->ch_size > SIZE_MAX || Hdr->ch_size > 0x10000000000)
+    fatal(getName(this) + ": uncompressed section size is too large");
 
   StringRef Buf((const char *)Data.data(), Data.size());
   size_t UncompressedDataSize = Hdr->ch_size;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D25518.74389.patch
Type: text/x-patch
Size: 1190 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20161012/1e3e23d6/attachment.bin>
