[llvm] [WebAssembly] Add bounds check in parseCodeSection (PR #76407)
via llvm-commits
llvm-commits at lists.llvm.org
Tue Dec 26 12:00:38 PST 2023
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-llvm-binary-utilities
Author: None (DavidKorczynski)
<details>
<summary>Changes</summary>
This is needed as otherwise `Ctx.Ptr` will be incremented to a position outside it's available buffer, which is being used to read values e.g. https://github.com/llvm/llvm-project/blob/966d564e43e650b9c34f9c67829d3947f52add91/llvm/lib/Object/WasmObjectFile.cpp#L1469
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28856
---
Full diff: https://github.com/llvm/llvm-project/pull/76407.diff
1 Files Affected:
- (modified) llvm/lib/Object/WasmObjectFile.cpp (+5)
``````````diff
diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp
index dfe86a45df3227..40665d686cf939 100644
--- a/llvm/lib/Object/WasmObjectFile.cpp
+++ b/llvm/lib/Object/WasmObjectFile.cpp
@@ -1484,6 +1484,11 @@ Error WasmObjectFile::parseCodeSection(ReadContext &Ctx) {
}
uint32_t BodySize = FunctionEnd - Ctx.Ptr;
+ // Ensure that Function is within Ctx's buffer.
+ if (Ctx.Ptr + BodySize > Ctx.End) {
+ return make_error<GenericBinaryError>("Function extends beyond buffer",
+ object_error::parse_failed);
+ }
Function.Body = ArrayRef<uint8_t>(Ctx.Ptr, BodySize);
// This will be set later when reading in the linking metadata section.
Function.Comdat = UINT32_MAX;
``````````
</details>
https://github.com/llvm/llvm-project/pull/76407
More information about the llvm-commits
mailing list