RPCS3/llvm-mirror
1
0
Fork 0
mirror of https://github.com/RPCS3/llvm-mirror.git synced 2024-11-25 12:12:47 +01:00
Code Issues Projects Releases Wiki Activity

[WASM] Fix overflow when reading custom section

Browse Source 
When reading a custom WASM section, it was possible that its name
extended beyond the size of the section. This resulted in a bogus value
for the section size due to the size overflowing.

Fixes heap buffer overflow detected by OSS-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8190

Differential revision: https://reviews.llvm.org/D50387

llvm-svn: 339269
This commit is contained in:
Jonas Devlieghere 2018-08-08 16:34:03 +00:00
parent d73939381b
commit b42f11290d
3 changed files with 13 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/Object/WasmObjectFile.cpp
View File

@ -216,9 +216,16 @@ static Error readSection(WasmSection &Section,
return make_error<StringError>("Section too large", return make_error<StringError>("Section too large",
object_error::parse_failed); object_error::parse_failed);
if (Section.Type == wasm::WASM_SEC_CUSTOM) { if (Section.Type == wasm::WASM_SEC_CUSTOM) {
const uint8_t *NameStart = Ctx.Ptr; WasmObjectFile::ReadContext SectionCtx;
Section.Name = readString(Ctx); SectionCtx.Start = Ctx.Ptr;
Size -= Ctx.Ptr - NameStart; SectionCtx.Ptr = Ctx.Ptr;
SectionCtx.End = Ctx.Ptr + Size;
Section.Name = readString(SectionCtx);
uint32_t SectionNameSize = SectionCtx.Ptr - SectionCtx.Start;
Ctx.Ptr += SectionNameSize;
Size -= SectionNameSize;
} }
Section.Content = ArrayRef<uint8_t>(Ctx.Ptr, Size); Section.Content = ArrayRef<uint8_t>(Ctx.Ptr, Size);
Ctx.Ptr += Size; Ctx.Ptr += Size;

BIN
test/Object/Inputs/WASM/string-outside-section.wasm Normal file
View File

Binary file not shown.

3
test/Object/wasm-string-outside-section.test Normal file
View File

@ -0,0 +1,3 @@
RUN: not llvm-objdump -s %p/Inputs/WASM/string-outside-section.wasm 2>&1 | FileCheck %s
CHECK: LLVM ERROR: EOF while reading string