diff options
| author | Alan Modra <amodra@gmail.com> | 2020-03-09 09:33:49 +1030 |
|---|---|---|
| committer | Alan Modra <amodra@gmail.com> | 2020-03-09 10:10:36 +1030 |
| commit | 2f57795b8b3cb2c416e91a16bc932480248e30d7 (patch) | |
| tree | 8c1225897b9c7949b873704580c0c14e43079846 | |
| parent | e63ee24f98f0648d1a88f9a74bd60a7278aeda2c (diff) | |
| download | fsf-binutils-gdb-2f57795b8b3cb2c416e91a16bc932480248e30d7.zip fsf-binutils-gdb-2f57795b8b3cb2c416e91a16bc932480248e30d7.tar.gz fsf-binutils-gdb-2f57795b8b3cb2c416e91a16bc932480248e30d7.tar.bz2 | |
asan: wasm: Out-of-memory
* wasm-module.c (wasm_scan): Sanity check file name length
before allocating memory. Move common section setup code. Do
without bfd_tell to calculate section size.
| -rw-r--r-- | bfd/ChangeLog | 6 | ||||
| -rw-r--r-- | bfd/wasm-module.c | 27 |
2 files changed, 21 insertions, 12 deletions
diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 0df437b..371e505 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2020-03-09 Alan Modra <amodra@gmail.com> + + * wasm-module.c (wasm_scan): Sanity check file name length + before allocating memory. Move common section setup code. Do + without bfd_tell to calculate section size. + 2020-03-06 Nick Clifton <nickc@redhat.com> * elf.c (_bfd_elf_set_section_contents): Replace call to abort diff --git a/bfd/wasm-module.c b/bfd/wasm-module.c index ac78692..66ac2d1 100644 --- a/bfd/wasm-module.c +++ b/bfd/wasm-module.c @@ -406,30 +406,33 @@ wasm_scan (bfd *abfd) if (bfdsec == NULL) goto error_return; - bfdsec->vma = vma; - bfdsec->lma = vma; bfdsec->size = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE); if (error) goto error_return; - bfdsec->filepos = bfd_tell (abfd); - bfdsec->alignment_power = 0; } else { bfd_vma payload_len; - file_ptr section_start; bfd_vma namelen; char *name; char *prefix = WASM_SECTION_PREFIX; size_t prefixlen = strlen (prefix); + ufile_ptr filesize; payload_len = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE); if (error) goto error_return; - section_start = bfd_tell (abfd); namelen = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE); - if (error || namelen > payload_len) + if (error || bytes_read > payload_len + || namelen > payload_len - bytes_read) goto error_return; + payload_len -= namelen + bytes_read; + filesize = bfd_get_file_size (abfd); + if (filesize != 0 && namelen > filesize) + { + bfd_set_error (bfd_error_file_truncated); + return FALSE; + } name = bfd_alloc (abfd, namelen + prefixlen + 1); if (!name) goto error_return; @@ -443,13 +446,13 @@ wasm_scan (bfd *abfd) if (bfdsec == NULL) goto error_return; - bfdsec->vma = vma; - bfdsec->lma = vma; - bfdsec->filepos = bfd_tell (abfd); - bfdsec->size = section_start + payload_len - bfdsec->filepos; - bfdsec->alignment_power = 0; + bfdsec->size = payload_len; } + bfdsec->vma = vma; + bfdsec->lma = vma; + bfdsec->alignment_power = 0; + bfdsec->filepos = bfd_tell (abfd); if (bfdsec->size != 0) { bfdsec->contents = _bfd_alloc_and_read (abfd, bfdsec->size, |