[llvm] r316357 - [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)
Vedant Kumar via llvm-commits
llvm-commits at lists.llvm.org
Mon Oct 23 11:04:34 PDT 2017
Author: vedantk
Date: Mon Oct 23 11:04:34 2017
New Revision: 316357
URL: http://llvm.org/viewvc/llvm-project?rev=316357&view=rev
Log:
[wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)
A wasm file crafted with a bogus section size can trigger an ASan issue
in the DWARFObjInMemory constructor. Nip the problem in the bud when we
read the wasm section.
Found by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3219
Differential Revision: https://reviews.llvm.org/D38777
Added:
llvm/trunk/test/tools/llvm-objdump/Inputs/corrupt-section.wasm
llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test
Modified:
llvm/trunk/lib/Object/WasmObjectFile.cpp
Modified: llvm/trunk/lib/Object/WasmObjectFile.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Object/WasmObjectFile.cpp?rev=316357&r1=316356&r2=316357&view=diff
==============================================================================
--- llvm/trunk/lib/Object/WasmObjectFile.cpp (original)
+++ llvm/trunk/lib/Object/WasmObjectFile.cpp Mon Oct 23 11:04:34 2017
@@ -178,14 +178,16 @@ static wasm::WasmTable readTable(const u
}
static Error readSection(WasmSection &Section, const uint8_t *&Ptr,
- const uint8_t *Start) {
- // TODO(sbc): Avoid reading past EOF in the case of malformed files.
+ const uint8_t *Start, const uint8_t *Eof) {
Section.Offset = Ptr - Start;
Section.Type = readVaruint7(Ptr);
uint32_t Size = readVaruint32(Ptr);
if (Size == 0)
return make_error<StringError>("Zero length section",
object_error::parse_failed);
+ if (Ptr + Size > Eof)
+ return make_error<StringError>("Section too large",
+ object_error::parse_failed);
Section.Content = ArrayRef<uint8_t>(Ptr, Size);
Ptr += Size;
return Error::success();
@@ -221,7 +223,7 @@ WasmObjectFile::WasmObjectFile(MemoryBuf
WasmSection Sec;
while (Ptr < Eof) {
- if ((Err = readSection(Sec, Ptr, getPtr(0))))
+ if ((Err = readSection(Sec, Ptr, getPtr(0), Eof)))
return;
if ((Err = parseSection(Sec)))
return;
Added: llvm/trunk/test/tools/llvm-objdump/Inputs/corrupt-section.wasm
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/tools/llvm-objdump/Inputs/corrupt-section.wasm?rev=316357&view=auto
==============================================================================
Binary files llvm/trunk/test/tools/llvm-objdump/Inputs/corrupt-section.wasm (added) and llvm/trunk/test/tools/llvm-objdump/Inputs/corrupt-section.wasm Mon Oct 23 11:04:34 2017 differ
Added: llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test?rev=316357&view=auto
==============================================================================
--- llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test (added)
+++ llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test Mon Oct 23 11:04:34 2017
@@ -0,0 +1,2 @@
+# RUN: not llvm-objdump -h %p/Inputs/corrupt-section.wasm 2>&1 | FileCheck %s
+# CHECK: '{{.*}}corrupt-section.wasm': Section too large
More information about the llvm-commits
mailing list