[PATCH] D50387: [WASM] Fix overflow when reading custom section

Tue Aug 7 07:36:30 PDT 2018

JDevlieghere created this revision.
JDevlieghere added a reviewer: sbc100.
Herald added subscribers: sunfish, aheejin, hiraditya.

When reading a custom WASM section, it was possible that its name
extended beyond the size of the section. This resulted in a bogus value
for the section size due to the size overflowing.

Fixes heap buffer overflow detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8190


Repository:
  rL LLVM

https://reviews.llvm.org/D50387

Files:
  llvm/lib/Object/WasmObjectFile.cpp
  llvm/test/Object/Inputs/WASM/string-outside-section.wasm
  llvm/test/Object/wasm-string-outside-section.test


Index: llvm/test/Object/wasm-string-outside-section.test
===================================================================

--- /dev/null
+++ llvm/test/Object/wasm-string-outside-section.test
@@ -0,0 +1,3 @@
+RUN: not llvm-objdump -s %p/Inputs/WASM/string-outside-section.wasm 2>&1 | FileCheck %s
+
+CHECK: Custom section name extends beyond section
Index: llvm/lib/Object/WasmObjectFile.cpp
===================================================================
--- llvm/lib/Object/WasmObjectFile.cpp
+++ llvm/lib/Object/WasmObjectFile.cpp
@@ -218,7 +218,12 @@
   if (Section.Type == wasm::WASM_SEC_CUSTOM) {
     const uint8_t *NameStart = Ctx.Ptr;
     Section.Name = readString(Ctx);
-    Size -= Ctx.Ptr - NameStart;
+    const uint32_t NameLength = Ctx.Ptr - NameStart;
+    if (NameLength > Size)
+      return make_error<StringError>(
+          "Custom section name extends beyond section",
+          object_error::parse_failed);
+    Size -= NameLength;
   }
   Section.Content = ArrayRef<uint8_t>(Ctx.Ptr, Size);
   Ctx.Ptr += Size;


-------------- next part --------------
A non-text attachment was scrubbed...
Name: D50387.159506.patch
Type: text/x-patch
Size: 1043 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20180807/d59a05ed/attachment.bin>
