[PATCH] D38777: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219)

Phabricator via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon Oct 23 11:05:02 PDT 2017 

This revision was automatically updated to reflect the committed changes.
Closed by commit rL316357: [wasm] readSection: Avoid reading past eof (fixes oss-fuzz #3219) (authored by vedantk).

Changed prior to commit:
  https://reviews.llvm.org/D38777?vs=119546&id=119903#toc

Repository:
  rL LLVM

https://reviews.llvm.org/D38777

Files:
  llvm/trunk/lib/Object/WasmObjectFile.cpp
  llvm/trunk/test/tools/llvm-objdump/Inputs/corrupt-section.wasm
  llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test


Index: llvm/trunk/lib/Object/WasmObjectFile.cpp
===================================================================
--- llvm/trunk/lib/Object/WasmObjectFile.cpp
+++ llvm/trunk/lib/Object/WasmObjectFile.cpp
@@ -178,14 +178,16 @@
 }
 
 static Error readSection(WasmSection &Section, const uint8_t *&Ptr,
-                         const uint8_t *Start) {
-  // TODO(sbc): Avoid reading past EOF in the case of malformed files.
+                         const uint8_t *Start, const uint8_t *Eof) {
   Section.Offset = Ptr - Start;
   Section.Type = readVaruint7(Ptr);
   uint32_t Size = readVaruint32(Ptr);
   if (Size == 0)
     return make_error<StringError>("Zero length section",
                                    object_error::parse_failed);
+  if (Ptr + Size > Eof)
+    return make_error<StringError>("Section too large",
+                                   object_error::parse_failed);
   Section.Content = ArrayRef<uint8_t>(Ptr, Size);
   Ptr += Size;
   return Error::success();
@@ -221,7 +223,7 @@
 
   WasmSection Sec;
   while (Ptr < Eof) {
-    if ((Err = readSection(Sec, Ptr, getPtr(0))))
+    if ((Err = readSection(Sec, Ptr, getPtr(0), Eof)))
       return;
     if ((Err = parseSection(Sec)))
       return;
Index: llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test
===================================================================
--- llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test
+++ llvm/trunk/test/tools/llvm-objdump/wasm-corrupt-section.test
@@ -0,0 +1,2 @@
+# RUN: not llvm-objdump -h %p/Inputs/corrupt-section.wasm 2>&1 | FileCheck %s
+# CHECK: '{{.*}}corrupt-section.wasm': Section too large


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D38777.119903.patch
Type: text/x-patch
Size: 1644 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20171023/9e991d75/attachment.bin>

More information about the llvm-commits mailing list