[llvm] r339269 - [WASM] Fix overflow when reading custom section
Jonas Devlieghere via llvm-commits
llvm-commits at lists.llvm.org
Wed Aug 8 09:34:03 PDT 2018
Author: jdevlieghere
Date: Wed Aug 8 09:34:03 2018
New Revision: 339269
URL: http://llvm.org/viewvc/llvm-project?rev=339269&view=rev
Log:
[WASM] Fix overflow when reading custom section
When reading a custom WASM section, it was possible that its name
extended beyond the size of the section. This resulted in a bogus value
for the section size due to the size overflowing.
Fixes heap buffer overflow detected by OSS-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8190
Differential revision: https://reviews.llvm.org/D50387
Added:
llvm/trunk/test/Object/Inputs/WASM/string-outside-section.wasm (with props)
llvm/trunk/test/Object/wasm-string-outside-section.test
Modified:
llvm/trunk/lib/Object/WasmObjectFile.cpp
Modified: llvm/trunk/lib/Object/WasmObjectFile.cpp
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/lib/Object/WasmObjectFile.cpp?rev=339269&r1=339268&r2=339269&view=diff
==============================================================================
--- llvm/trunk/lib/Object/WasmObjectFile.cpp (original)
+++ llvm/trunk/lib/Object/WasmObjectFile.cpp Wed Aug 8 09:34:03 2018
@@ -216,9 +216,16 @@ static Error readSection(WasmSection &Se
return make_error<StringError>("Section too large",
object_error::parse_failed);
if (Section.Type == wasm::WASM_SEC_CUSTOM) {
- const uint8_t *NameStart = Ctx.Ptr;
- Section.Name = readString(Ctx);
- Size -= Ctx.Ptr - NameStart;
+ WasmObjectFile::ReadContext SectionCtx;
+ SectionCtx.Start = Ctx.Ptr;
+ SectionCtx.Ptr = Ctx.Ptr;
+ SectionCtx.End = Ctx.Ptr + Size;
+
+ Section.Name = readString(SectionCtx);
+
+ uint32_t SectionNameSize = SectionCtx.Ptr - SectionCtx.Start;
+ Ctx.Ptr += SectionNameSize;
+ Size -= SectionNameSize;
}
Section.Content = ArrayRef<uint8_t>(Ctx.Ptr, Size);
Ctx.Ptr += Size;
Added: llvm/trunk/test/Object/Inputs/WASM/string-outside-section.wasm
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Object/Inputs/WASM/string-outside-section.wasm?rev=339269&view=auto
==============================================================================
Binary file - no diff available.
Propchange: llvm/trunk/test/Object/Inputs/WASM/string-outside-section.wasm
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: llvm/trunk/test/Object/wasm-string-outside-section.test
URL: http://llvm.org/viewvc/llvm-project/llvm/trunk/test/Object/wasm-string-outside-section.test?rev=339269&view=auto
==============================================================================
--- llvm/trunk/test/Object/wasm-string-outside-section.test (added)
+++ llvm/trunk/test/Object/wasm-string-outside-section.test Wed Aug 8 09:34:03 2018
@@ -0,0 +1,3 @@
+RUN: not llvm-objdump -s %p/Inputs/WASM/string-outside-section.wasm 2>&1 | FileCheck %s
+
+CHECK: LLVM ERROR: EOF while reading string
More information about the llvm-commits
mailing list