Next set of additional error checks for invalid Mach-O files for the

load command that uses the Mach::rpath_command type
but not used in llvm libObject code but used in llvm tool code.

This includes just the LC_RPATH load command.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@282649 91177308-0d34-0410-b5e6-96231b3b80d8

diff --git a/lib/Object/MachOObjectFile.cpp b/lib/Object/MachOObjectFile.cpp
index 847e61fff1ea4ddb055814343295d8b391bc4fa8..364239462293bdbebc401842d572d89a86d34a3c 100644 (file)
--- a/lib/Object/MachOObjectFile.cpp
+++ b/lib/Object/MachOObjectFile.cpp
@@ -669,6 +669,35 @@ static Error checkVersCommand(const MachOObjectFile *Obj,
   return Error::success();
 }
 
+static Error checkRpathCommand(const MachOObjectFile *Obj,
+                               const MachOObjectFile::LoadCommandInfo &Load,
+                               uint32_t LoadCommandIndex) {
+  if (Load.C.cmdsize < sizeof(MachO::rpath_command))
+    return malformedError("load command " + Twine(LoadCommandIndex) +
+                          " LC_RPATH cmdsize too small");
+  MachO::rpath_command R = getStruct<MachO::rpath_command>(Obj, Load.Ptr);
+  if (R.path < sizeof(MachO::rpath_command))
+    return malformedError("load command " + Twine(LoadCommandIndex) +
+                          " LC_RPATH path.offset field too small, not past "
+                          "the end of the rpath_command struct");
+  if (R.path >= R.cmdsize)
+    return malformedError("load command " + Twine(LoadCommandIndex) +
+                          " LC_RPATH path.offset field extends past the end "
+                          "of the load command");
+  // Make sure there is a null between the starting offset of the path and
+  // the end of the load command.
+  uint32_t i;
+  const char *P = (const char *)Load.Ptr;
+  for (i = R.path; i < R.cmdsize; i++)
+    if (P[i] == '\0')
+      break;
+  if (i >= R.cmdsize)
+    return malformedError("load command " + Twine(LoadCommandIndex) +
+                          " LC_RPATH library name extends past the end of the "
+                          "load command");
+  return Error::success();
+}
+
 Expected<std::unique_ptr<MachOObjectFile>>
 MachOObjectFile::create(MemoryBufferRef Object, bool IsLittleEndian,
                         bool Is64Bits) {
@@ -847,6 +876,9 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian,
       if ((Err = checkVersCommand(this, Load, I, &VersLoadCmd,
                                   "LC_VERSION_MIN_WATCHOS")))
         return;
+    } else if (Load.C.cmd == MachO::LC_RPATH) {
+      if ((Err = checkRpathCommand(this, Load, I)))
+        return;
     }
     if (I < LoadCommandCount - 1) {
       if (auto LoadOrErr = getNextLoadCommandInfo(this, I, Load))

diff --git a/test/Object/Inputs/macho-invalid-rpath-name_offset-toobig b/test/Object/Inputs/macho-invalid-rpath-name_offset-toobig
new file mode 100644 (file)
index 0000000..0a4849a
Binary files /dev/null and b/test/Object/Inputs/macho-invalid-rpath-name_offset-toobig differ

diff --git a/test/Object/Inputs/macho-invalid-rpath-name_toobig b/test/Object/Inputs/macho-invalid-rpath-name_toobig
new file mode 100644 (file)
index 0000000..2a1abe6
Binary files /dev/null and b/test/Object/Inputs/macho-invalid-rpath-name_toobig differ

diff --git a/test/Object/Inputs/macho-invalid-rpath-small b/test/Object/Inputs/macho-invalid-rpath-small
new file mode 100644 (file)
index 0000000..5a6944f
Binary files /dev/null and b/test/Object/Inputs/macho-invalid-rpath-small differ

diff --git a/test/Object/macho-invalid.test b/test/Object/macho-invalid.test
index c42de88218c7490010bca9141f54a05493d874ee..c4048db23b66920cd72268400f2fd635fe7213c4 100644 (file)
--- a/test/Object/macho-invalid.test
+++ b/test/Object/macho-invalid.test
@@ -313,3 +313,12 @@ INVALID-VERS-SMALL: macho-invalid-vers-small': truncated or malformed object (lo
 
 RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-vers-more-than-one 2>&1 | FileCheck -check-prefix INVALID-VERS-MORE-THAN-ONE %s
 INVALID-VERS-MORE-THAN-ONE: macho-invalid-vers-more-than-one': truncated or malformed object (more than one LC_VERSION_MIN_MACOSX, LC_VERSION_MIN_IPHONEOS, LC_VERSION_MIN_TVOS or LC_VERSION_MIN_WATCHOS command)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-rpath-small 2>&1 | FileCheck -check-prefix INVALID-RPATH-SMALL %s
+INVALID-RPATH-SMALL: macho-invalid-rpath-small': truncated or malformed object (load command 0 LC_RPATH cmdsize too small)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-rpath-name_offset-toobig 2>&1 | FileCheck -check-prefix INVALID-RPATH-NAME_OFFSET-TOOBIG %s
+INVALID-RPATH-NAME_OFFSET-TOOBIG: macho-invalid-rpath-name_offset-toobig': truncated or malformed object (load command 0 LC_RPATH path.offset field extends past the end of the load command)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-rpath-name_toobig 2>&1 | FileCheck -check-prefix INVALID-RPATH-NAME_TOOBIG %s
+INVALID-RPATH-NAME_TOOBIG: macho-invalid-rpath-name_toobig': truncated or malformed object (load command 0 LC_RPATH library name extends past the end of the load command)