diff options
| author | DavidKorczynski <david@adalogics.com> | 2023-12-26 21:32:13 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-26 13:32:13 -0800 |
| commit | e8b6fa5f301de4688b7a4bd6c41d30f29f0e2ddd (patch) | |
| tree | 81a00bc72140a592d147e5531e89f488ab5bdc84 /llvm/lib/Object/WasmObjectFile.cpp | |
| parent | 1022febd9df30abbd5c490b94290c4422ca15b01 (diff) | |
| download | llvm-e8b6fa5f301de4688b7a4bd6c41d30f29f0e2ddd.zip llvm-e8b6fa5f301de4688b7a4bd6c41d30f29f0e2ddd.tar.gz llvm-e8b6fa5f301de4688b7a4bd6c41d30f29f0e2ddd.tar.bz2 | |
[WebAssembly] Add bounds check in parseCodeSection (#76407)
This is needed as otherwise `Ctx.Ptr` will be incremented to a position
outside it's available buffer, which is being used to read values e.g.
https://github.com/llvm/llvm-project/blob/966d564e43e650b9c34f9c67829d3947f52add91/llvm/lib/Object/WasmObjectFile.cpp#L1469
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28856
Signed-off-by: David Korczynski <david@adalogics.com>
Diffstat (limited to 'llvm/lib/Object/WasmObjectFile.cpp')
| -rw-r--r-- | llvm/lib/Object/WasmObjectFile.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp index dfe86a4..40665d6 100644 --- a/llvm/lib/Object/WasmObjectFile.cpp +++ b/llvm/lib/Object/WasmObjectFile.cpp @@ -1484,6 +1484,11 @@ Error WasmObjectFile::parseCodeSection(ReadContext &Ctx) { } uint32_t BodySize = FunctionEnd - Ctx.Ptr; + // Ensure that Function is within Ctx's buffer. + if (Ctx.Ptr + BodySize > Ctx.End) { + return make_error<GenericBinaryError>("Function extends beyond buffer", + object_error::parse_failed); + } Function.Body = ArrayRef<uint8_t>(Ctx.Ptr, BodySize); // This will be set later when reading in the linking metadata section. Function.Comdat = UINT32_MAX; |