[llvm] [WebAssembly] Limit increase of Ctx.End (PR #76676)
via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 1 04:59:31 PST 2024
https://github.com/DavidKorczynski created https://github.com/llvm/llvm-project/pull/76676
Extending `Ctx.End` beyond the original buffer leads to buffer overflows. This limits extending Ctx.End beyond OrigEnd to prevent these overflows.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65432
>From 1aa5a9d1d2b9bc825eb1325cef5f864adf65965d Mon Sep 17 00:00:00 2001
From: David Korczynski <david at adalogics.com>
Date: Mon, 1 Jan 2024 04:56:29 -0800
Subject: [PATCH] [WebAssembly] Limit increase of Ctx.End
Extending `Ctx.End` beyond the original buffer leads to buffer
overflows. This limits extending Ctx.End beyond OrigEnd to prevent these
overflows.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65432
Signed-off-by: David Korczynski <david at adalogics.com>
---
llvm/lib/Object/WasmObjectFile.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp
index 40665d686cf939..6f89e183118d63 100644
--- a/llvm/lib/Object/WasmObjectFile.cpp
+++ b/llvm/lib/Object/WasmObjectFile.cpp
@@ -546,6 +546,9 @@ Error WasmObjectFile::parseLinkingSection(ReadContext &Ctx) {
uint32_t Size = readVaruint32(Ctx);
LLVM_DEBUG(dbgs() << "readSubsection type=" << int(Type) << " size=" << Size
<< "\n");
+ if ((const uint8_t *)(Ctx.Ptr + Size) > OrigEnd)
+ return make_error<GenericBinaryError>("invalid segment size",
+ object_error::parse_failed);
Ctx.End = Ctx.Ptr + Size;
switch (Type) {
case wasm::WASM_SYMBOL_TABLE:
More information about the llvm-commits
mailing list