[PATCH] D37439: [MachO] Prevent heap overflow when load command extends past EOF

Jonas Devlieghere via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Wed Sep 13 06:44:41 PDT 2017 

This revision was automatically updated to reflect the committed changes.
Closed by commit rL313145: [MachO] Prevent heap overflow when load command extends past EOF (authored by JDevlieghere).

Changed prior to commit:
  https://reviews.llvm.org/D37439?vs=113756&id=115031#toc

Repository:
  rL LLVM

https://reviews.llvm.org/D37439

Files:
  llvm/trunk/lib/Object/MachOObjectFile.cpp
  llvm/trunk/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof
  llvm/trunk/test/Object/macho-invalid.test


Index: llvm/trunk/lib/Object/MachOObjectFile.cpp
===================================================================
--- llvm/trunk/lib/Object/MachOObjectFile.cpp
+++ llvm/trunk/lib/Object/MachOObjectFile.cpp
@@ -183,6 +183,9 @@
 getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr,
                    uint32_t LoadCommandIndex) {
   if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) {
+    if (CmdOrErr->cmdsize + Ptr > Obj.getData().end())
+      return malformedError("load command " + Twine(LoadCommandIndex) +
+                            " extends past end of file");
     if (CmdOrErr->cmdsize < 8)
       return malformedError("load command " + Twine(LoadCommandIndex) +
                             " with size less than 8 bytes");
@@ -800,7 +803,7 @@
                               uint32_t LoadCommandIndex,
                               std::list<MachOElement> &Elements) {
   if (Load.C.cmdsize != sizeof(MachO::note_command))
-    return malformedError("load command " + Twine(LoadCommandIndex) + 
+    return malformedError("load command " + Twine(LoadCommandIndex) +
                           " LC_NOTE has incorrect cmdsize");
   MachO::note_command Nt = getStruct<MachO::note_command>(Obj, Load.Ptr);
   uint64_t FileSize = Obj.getData().size();
Index: llvm/trunk/test/Object/macho-invalid.test
===================================================================
--- llvm/trunk/test/Object/macho-invalid.test
+++ llvm/trunk/test/Object/macho-invalid.test
@@ -284,6 +284,9 @@
 RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-no-id  2>&1 | FileCheck -check-prefix INVALID-DYLIB-NO-ID %s
 INVALID-DYLIB-NO-ID: macho-invalid-dylib-no-id': truncated or malformed object (no LC_ID_DYLIB load command in dynamic library filetype)
 
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-cmdsize-past-eof 2>&1 | FileCheck -check-prefix INVALID-DYLIB-CMDSIZE %s
+INVALID-DYLIB-CMDSIZE: macho-invalid-dylib-cmdsize-past-eof': truncated or malformed object (load command 0 extends past end of file)
+
 RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-uuid-more-than-one  2>&1 | FileCheck -check-prefix INVALID-UUID-MORE-THAN-ONE %s
 INVALID-UUID-MORE-THAN-ONE: macho-invalid-uuid-more-than-one': truncated or malformed object (more than one LC_UUID command)
 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D37439.115031.patch
Type: text/x-patch
Size: 2369 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20170913/6809a01e/attachment-0001.bin>

More information about the llvm-commits mailing list