[MachO] Prevent heap overflow when load command extends past EOF

This patch fixes a heap-buffer-overflow when a malformed Mach-O has a
load command who's size extends past the end of the binary.

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3225
Differential revision: https://reviews.llvm.org/D37439

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@313145 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/Object/MachOObjectFile.cpp b/lib/Object/MachOObjectFile.cpp
index a32533b003b28e4300f44489444f94cb23b77fd9..b943c4063d6982f8e6b2b85b4304781842404680 100644 (file)
--- a/lib/Object/MachOObjectFile.cpp
+++ b/lib/Object/MachOObjectFile.cpp
@@ -183,6 +183,9 @@ static Expected<MachOObjectFile::LoadCommandInfo>
 getLoadCommandInfo(const MachOObjectFile &Obj, const char *Ptr,
                    uint32_t LoadCommandIndex) {
   if (auto CmdOrErr = getStructOrErr<MachO::load_command>(Obj, Ptr)) {
+    if (CmdOrErr->cmdsize + Ptr > Obj.getData().end())
+      return malformedError("load command " + Twine(LoadCommandIndex) +
+                            " extends past end of file");
     if (CmdOrErr->cmdsize < 8)
       return malformedError("load command " + Twine(LoadCommandIndex) +
                             " with size less than 8 bytes");
@@ -800,7 +803,7 @@ static Error checkNoteCommand(const MachOObjectFile &Obj,
                               uint32_t LoadCommandIndex,
                               std::list<MachOElement> &Elements) {
   if (Load.C.cmdsize != sizeof(MachO::note_command))
-    return malformedError("load command " + Twine(LoadCommandIndex) + 
+    return malformedError("load command " + Twine(LoadCommandIndex) +
                           " LC_NOTE has incorrect cmdsize");
   MachO::note_command Nt = getStruct<MachO::note_command>(Obj, Load.Ptr);
   uint64_t FileSize = Obj.getData().size();

diff --git a/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof b/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof
new file mode 100644 (file)
index 0000000..feefab9
Binary files /dev/null and b/test/Object/Inputs/macho-invalid-dylib-cmdsize-past-eof differ

diff --git a/test/Object/macho-invalid.test b/test/Object/macho-invalid.test
index e956680a2ce5497bfb4f90edf58a8657c1aeab56..1a7ac21d744b94ff679fa7ea62df5f3036943ea3 100644 (file)
--- a/test/Object/macho-invalid.test
+++ b/test/Object/macho-invalid.test
@@ -284,6 +284,9 @@ INVALID-DYLIB-WRONG-FILETYPE: macho-invalid-dylib-wrong-filetype': truncated or
 RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-no-id  2>&1 | FileCheck -check-prefix INVALID-DYLIB-NO-ID %s
 INVALID-DYLIB-NO-ID: macho-invalid-dylib-no-id': truncated or malformed object (no LC_ID_DYLIB load command in dynamic library filetype)
 
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib-cmdsize-past-eof 2>&1 | FileCheck -check-prefix INVALID-DYLIB-CMDSIZE %s
+INVALID-DYLIB-CMDSIZE: macho-invalid-dylib-cmdsize-past-eof': truncated or malformed object (load command 0 extends past end of file)
+
 RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-uuid-more-than-one  2>&1 | FileCheck -check-prefix INVALID-UUID-MORE-THAN-ONE %s
 INVALID-UUID-MORE-THAN-ONE: macho-invalid-uuid-more-than-one': truncated or malformed object (more than one LC_UUID command)