diff options
| author | Zixu Wang <9819235+zixu-w@users.noreply.github.com> | 2024-05-30 23:08:01 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-30 23:08:01 -0700 |
| commit | 1fa073ab896e65c55ff63487be0b41d7cea9aa77 (patch) | |
| tree | f26add22c2a4fe7d4431c378f1c153d7c85a824b /llvm/lib/Object/MachOObjectFile.cpp | |
| parent | c5fdb5c34e0dc3f5f3c0db19cf704b30a778cd0e (diff) | |
| download | llvm-1fa073ab896e65c55ff63487be0b41d7cea9aa77.zip llvm-1fa073ab896e65c55ff63487be0b41d7cea9aa77.tar.gz llvm-1fa073ab896e65c55ff63487be0b41d7cea9aa77.tar.bz2 | |
[MachO] Stop parsing past end of rebase/bind table (#93897)
`MachORebaseEntry::moveNext()` and `MachOBindEntry::moveNext()` assume
that the rebase/bind table ends with `{REBASE|BIND}_OPCODE_DONE` or an
actual rebase/bind. However a valid rebase/bind table might also end
with other effectively no-op opcodes, which caused the parser to move
past the end and go into the next table, resulting in corrupted entries
or infinite loops.
Diffstat (limited to 'llvm/lib/Object/MachOObjectFile.cpp')
| -rw-r--r-- | llvm/lib/Object/MachOObjectFile.cpp | 32 |
1 files changed, 18 insertions, 14 deletions
diff --git a/llvm/lib/Object/MachOObjectFile.cpp b/llvm/lib/Object/MachOObjectFile.cpp index 863bc12..61d880b 100644 --- a/llvm/lib/Object/MachOObjectFile.cpp +++ b/llvm/lib/Object/MachOObjectFile.cpp @@ -3501,15 +3501,17 @@ void MachORebaseEntry::moveNext() { --RemainingLoopCount; return; } - // REBASE_OPCODE_DONE is only used for padding if we are not aligned to - // pointer size. Therefore it is possible to reach the end without ever having - // seen REBASE_OPCODE_DONE. - if (Ptr == Opcodes.end()) { - Done = true; - return; - } + bool More = true; while (More) { + // REBASE_OPCODE_DONE is only used for padding if we are not aligned to + // pointer size. Therefore it is possible to reach the end without ever + // having seen REBASE_OPCODE_DONE. + if (Ptr == Opcodes.end()) { + Done = true; + return; + } + // Parse next opcode and set up next loop. const uint8_t *OpcodeStart = Ptr; uint8_t Byte = *Ptr++; @@ -3838,15 +3840,17 @@ void MachOBindEntry::moveNext() { --RemainingLoopCount; return; } - // BIND_OPCODE_DONE is only used for padding if we are not aligned to - // pointer size. Therefore it is possible to reach the end without ever having - // seen BIND_OPCODE_DONE. - if (Ptr == Opcodes.end()) { - Done = true; - return; - } + bool More = true; while (More) { + // BIND_OPCODE_DONE is only used for padding if we are not aligned to + // pointer size. Therefore it is possible to reach the end without ever + // having seen BIND_OPCODE_DONE. + if (Ptr == Opcodes.end()) { + Done = true; + return; + } + // Parse next opcode and set up next loop. const uint8_t *OpcodeStart = Ptr; uint8_t Byte = *Ptr++; |