[llvm] [WebAssembly] Add bounds check in parseCodeSection (PR #76407)
via llvm-commits
llvm-commits at lists.llvm.org
Tue Dec 26 11:59:58 PST 2023
https://github.com/DavidKorczynski created https://github.com/llvm/llvm-project/pull/76407
This is needed as otherwise `Ctx.Ptr` will be incremented to a position outside it's available buffer, which is being used to read values e.g. https://github.com/llvm/llvm-project/blob/966d564e43e650b9c34f9c67829d3947f52add91/llvm/lib/Object/WasmObjectFile.cpp#L1469
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28856
>From b5f99632bb4fcb68b562bda8bb6f4c7d7855bdba Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Tue, 26 Dec 2023 12:11:32 -0800
Subject: [PATCH] [WebAssembly] Add bounds check in parseCodeSection
This is needed as otherwise `Ctx.Ptr` will be incremented to a position
outside it's available buffer, which is being used to read values e.g.
https://github.com/llvm/llvm-project/blob/966d564e43e650b9c34f9c67829d3947f52add91/llvm/lib/Object/WasmObjectFile.cpp#L1469
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28856
Signed-off-by: David Korczynski <david at adalogics.com>
---
llvm/lib/Object/WasmObjectFile.cpp | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp
index dfe86a45df3227..40665d686cf939 100644
--- a/llvm/lib/Object/WasmObjectFile.cpp
+++ b/llvm/lib/Object/WasmObjectFile.cpp
@@ -1484,6 +1484,11 @@ Error WasmObjectFile::parseCodeSection(ReadContext &Ctx) {
}
uint32_t BodySize = FunctionEnd - Ctx.Ptr;
+ // Ensure that Function is within Ctx's buffer.
+ if (Ctx.Ptr + BodySize > Ctx.End) {
+ return make_error<GenericBinaryError>("Function extends beyond buffer",
+ object_error::parse_failed);
+ }
Function.Body = ArrayRef<uint8_t>(Ctx.Ptr, BodySize);
// This will be set later when reading in the linking metadata section.
Function.Comdat = UINT32_MAX;
More information about the llvm-commits
mailing list