tools: address possible non-null terminated filenames

If a filename is a multiple of 18 characters, there will be no null-terminator. This will result in an invalid access by the constructed StringRef. Add a test case to exercise this and fix that handling. Address this same vulnerability in llvm-readobj as well. llvm-svn: 206145
2024-10-19 02:52:53 +02:00 · 2014-04-14 02:37:23 +00:00 · 2014-04-14 02:37:23 +00:00 · f19ae77520
commit f19ae77520
parent c145d314a1
6 changed files with 78 additions and 16 deletions
--- a/test/tools/llvm-objdump/Inputs/file-aux-record.yaml
+++ b/test/tools/llvm-objdump/Inputs/file-aux-record.yaml
@ -0,0 +1,21 @@
+header: !Header
+  Machine: IMAGE_FILE_MACHINE_I386 # (0x14c)
+  Characteristics: [ IMAGE_FILE_DEBUG_STRIPPED ]
+sections:
+symbols:
+  - !Symbol
+    Name: .file
+    Value: 0
+    SectionNumber: 65534
+    SimpleType: IMAGE_SYM_TYPE_NULL
+    ComplexType: IMAGE_SYM_DTYPE_NULL
+    StorageClass: IMAGE_SYM_CLASS_FILE
+    File: eighteen-chars.obj
+  - !Symbol
+    Name: '@comp.id'
+    Value: 13485607
+    SectionNumber: 65535
+    SimpleType: IMAGE_SYM_TYPE_NULL
+    ComplexType: IMAGE_SYM_DTYPE_NULL
+    StorageClass: IMAGE_SYM_CLASS_STATIC
+
--- a/test/tools/llvm-objdump/coff-non-null-terminated-file.test
+++ b/test/tools/llvm-objdump/coff-non-null-terminated-file.test
@ -0,0 +1,5 @@
+RUN: yaml2obj %p/Inputs/file-aux-record.yaml | llvm-objdump -t - | FileCheck %s
+
+CHECK: .file
+CHECK: AUX eighteen-chars.obj{{$}}
+
--- a/test/tools/llvm-readobj/Inputs/file-aux-record.yaml
+++ b/test/tools/llvm-readobj/Inputs/file-aux-record.yaml
@ -0,0 +1,21 @@
+header: !Header
+  Machine: IMAGE_FILE_MACHINE_I386 # (0x14c)
+  Characteristics: [ IMAGE_FILE_DEBUG_STRIPPED ]
+sections:
+symbols:
+  - !Symbol
+    Name: .file
+    Value: 0
+    SectionNumber: 65534
+    SimpleType: IMAGE_SYM_TYPE_NULL
+    ComplexType: IMAGE_SYM_DTYPE_NULL
+    StorageClass: IMAGE_SYM_CLASS_FILE
+    File: eighteen-chars.obj
+  - !Symbol
+    Name: '@comp.id'
+    Value: 13485607
+    SectionNumber: 65535
+    SimpleType: IMAGE_SYM_TYPE_NULL
+    ComplexType: IMAGE_SYM_DTYPE_NULL
+    StorageClass: IMAGE_SYM_CLASS_STATIC
+
--- a/test/tools/llvm-readobj/coff-non-null-terminated-file.test
+++ b/test/tools/llvm-readobj/coff-non-null-terminated-file.test
@ -0,0 +1,20 @@
+RUN: yaml2obj %p/Inputs/file-aux-record.yaml | llvm-readobj -t - | FileCheck %s
+
+CHECK: Symbols [
+CHECK:   Symbol {
+CHECK:     Name: .file
+CHECK:     Value: 0
+CHECK:     StorageClass: File
+CHECK:     AuxSymbolCount: 1
+CHECK:     AuxFileRecord {
+CHECK:       FileName: eighteen-chars.obj{{$}}
+CHECK:     }
+CHECK:   }
+CHECK:   Symbol {
+CHECK:     Name: @comp.id
+CHECK:     Value: 13485607
+CHECK:     StorageClass: Static
+CHECK:     AuxSymbolCount: 0
+CHECK:   }
+CHECK: ]
+
--- a/tools/llvm-objdump/llvm-objdump.cpp
+++ b/tools/llvm-objdump/llvm-objdump.cpp
@ -669,17 +669,7 @@ static void PrintCOFFSymbolTable(const COFFObjectFile *coff) {
  const coff_symbol *symbol = 0;
  for (int i = 0, e = header->NumberOfSymbols; i != e; ++i) {
    if (aux_count--) {
-      switch (symbol->StorageClass) {
-      default: outs() << "AUX Unknown\n";
-      case COFF::IMAGE_SYM_CLASS_STATIC:
-        // Section definition.  Follows a symbol-table record that defines a
-        // section.  Such a record has a symbol name that is the name of a
-        // section and has storage class STATIC (3).
-        if (symbol->Value) {
-          errs() << "invalid entry in Symbol Table";
-          break;
-        }
-
+      if (symbol->isSectionDefinition()) {
        const coff_aux_section_definition *asd;
        if (error(coff->getAuxSymbol<coff_aux_section_definition>(i, asd)))
          return;
@ -693,15 +683,17 @@ static void PrintCOFFSymbolTable(const COFFObjectFile *coff) {
               << format("assoc %d comdat %d\n"
                         , unsigned(asd->Number)
                         , unsigned(asd->Selection));
-        break;
-      case COFF::IMAGE_SYM_CLASS_FILE:
+      } else if (symbol->isFileRecord()) {
        const coff_aux_file *AF;
        if (error(coff->getAuxSymbol<coff_aux_file>(i, AF)))
          return;
-        outs() << "AUX " << StringRef(AF->FileName) << '\n';
+
+        StringRef Name(AF->FileName, (aux_count + 1) * COFF::SymbolSize);
+        outs() << "AUX " << Name.rtrim(StringRef("\0", 1))  << '\n';
        i = i + aux_count;
        aux_count = 0;
-        break;
+      } else {
+        outs() << "AUX Unknown\n";
      }
    } else {
      StringRef name;
--- a/tools/llvm-readobj/COFFDumper.cpp
+++ b/tools/llvm-readobj/COFFDumper.cpp
@ -977,7 +977,10 @@ void COFFDumper::printSymbol(const SymbolRef &Sym) {
        break;

      DictScope AS(W, "AuxFileRecord");
-      W.printString("FileName", StringRef(Aux->FileName));
+
+      StringRef Name(Aux->FileName,
+                     Symbol->NumberOfAuxSymbols * COFF::SymbolSize);
+      W.printString("FileName", Name.rtrim(StringRef("\0", 1)));
    } else if (Symbol->isSectionDefinition()) {
      const coff_aux_section_definition *Aux;
      if (error(getSymbolAuxData(Obj, Symbol + I, Aux)))