[llvm] [WebAssembly] Limit increase of Ctx.End (PR #76676)
via llvm-commits
llvm-commits at lists.llvm.org
Mon Jan 1 04:59:57 PST 2024
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-llvm-binary-utilities
@llvm/pr-subscribers-backend-webassembly
Author: None (DavidKorczynski)
<details>
<summary>Changes</summary>
Extending `Ctx.End` beyond the original buffer leads to buffer overflows. This limits extending Ctx.End beyond OrigEnd to prevent these overflows.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65432
---
Full diff: https://github.com/llvm/llvm-project/pull/76676.diff
1 Files Affected:
- (modified) llvm/lib/Object/WasmObjectFile.cpp (+3)
``````````diff
diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp
index 40665d686cf939..6f89e183118d63 100644
--- a/llvm/lib/Object/WasmObjectFile.cpp
+++ b/llvm/lib/Object/WasmObjectFile.cpp
@@ -546,6 +546,9 @@ Error WasmObjectFile::parseLinkingSection(ReadContext &Ctx) {
uint32_t Size = readVaruint32(Ctx);
LLVM_DEBUG(dbgs() << "readSubsection type=" << int(Type) << " size=" << Size
<< "\n");
+ if ((const uint8_t *)(Ctx.Ptr + Size) > OrigEnd)
+ return make_error<GenericBinaryError>("invalid segment size",
+ object_error::parse_failed);
Ctx.End = Ctx.Ptr + Size;
switch (Type) {
case wasm::WASM_SYMBOL_TABLE:
``````````
</details>
https://github.com/llvm/llvm-project/pull/76676
More information about the llvm-commits
mailing list