diff --git a/llvm/lib/Object/MachOObjectFile.cpp b/llvm/lib/Object/MachOObjectFile.cpp index b5ca95add73b..2435340b66ed 100644 --- a/llvm/lib/Object/MachOObjectFile.cpp +++ b/llvm/lib/Object/MachOObjectFile.cpp @@ -184,7 +184,7 @@ static Expected getFirstLoadCommandInfo(const MachOObjectFile *Obj) { unsigned HeaderSize = Obj->is64Bit() ? sizeof(MachO::mach_header_64) : sizeof(MachO::mach_header); - if (sizeof(MachOObjectFile::LoadCommandInfo) > Obj->getHeader().sizeofcmds) + if (sizeof(MachO::load_command) > Obj->getHeader().sizeofcmds) return malformedError("load command 0 extends past the end all load " "commands in the file"); return getLoadCommandInfo(Obj, getPtr(Obj, HeaderSize), 0); @@ -195,7 +195,7 @@ getNextLoadCommandInfo(const MachOObjectFile *Obj, uint32_t LoadCommandIndex, const MachOObjectFile::LoadCommandInfo &L) { unsigned HeaderSize = Obj->is64Bit() ? sizeof(MachO::mach_header_64) : sizeof(MachO::mach_header); - if (L.Ptr + L.C.cmdsize + sizeof(MachOObjectFile::LoadCommandInfo) > + if (L.Ptr + L.C.cmdsize + sizeof(MachO::load_command) > Obj->getData().data() + HeaderSize + Obj->getHeader().sizeofcmds) return malformedError("load command " + Twine(LoadCommandIndex + 1) + " extends past the end all load commands in the file"); @@ -474,6 +474,36 @@ static Error checkDysymtabCommand(const MachOObjectFile *Obj, return Error::success(); } +static Error checkLinkeditDataCommand(const MachOObjectFile *Obj, + const MachOObjectFile::LoadCommandInfo &Load, + uint32_t LoadCommandIndex, + const char **LoadCmd, const char *CmdName) { + if (Load.C.cmdsize < sizeof(MachO::linkedit_data_command)) + return malformedError("load command " + Twine(LoadCommandIndex) + " " + + CmdName + " cmdsize too small"); + if (*LoadCmd != nullptr) + return malformedError("more than one " + Twine(CmdName) + " command"); + MachO::linkedit_data_command LinkData = + getStruct(Obj, Load.Ptr); + if (LinkData.cmdsize != sizeof(MachO::linkedit_data_command)) + return malformedError(Twine(CmdName) + " command " + + Twine(LoadCommandIndex) + " has incorrect cmdsize"); + uint64_t FileSize = Obj->getData().size(); + if (LinkData.dataoff > FileSize) + return malformedError("dataoff field of " + Twine(CmdName) + " command " + + Twine(LoadCommandIndex) + " extends past the end of " + "the file"); + uint64_t BigSize = LinkData.dataoff; + BigSize += LinkData.datasize; + if (BigSize > FileSize) + return malformedError("dataoff field plus datasize field of " + + Twine(CmdName) + " command " + + Twine(LoadCommandIndex) + " extends past the end of " + "the file"); + *LoadCmd = Load.Ptr; + return Error::success(); +} + Expected> MachOObjectFile::create(MemoryBufferRef Object, bool IsLittleEndian, bool Is64Bits) { @@ -550,19 +580,13 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian, if ((Err = checkDysymtabCommand(this, Load, I, &DysymtabLoadCmd))) return; } else if (Load.C.cmd == MachO::LC_DATA_IN_CODE) { - // Multiple data in code tables - if (DataInCodeLoadCmd) { - Err = malformedError("Multiple data-in-code tables"); + if ((Err = checkLinkeditDataCommand(this, Load, I, &DataInCodeLoadCmd, + "LC_DATA_IN_CODE"))) return; - } - DataInCodeLoadCmd = Load.Ptr; } else if (Load.C.cmd == MachO::LC_LINKER_OPTIMIZATION_HINT) { - // Multiple linker optimization hint tables - if (LinkOptHintsLoadCmd) { - Err = malformedError("Multiple linker optimization hint tables"); + if ((Err = checkLinkeditDataCommand(this, Load, I, &LinkOptHintsLoadCmd, + "LC_LINKER_OPTIMIZATION_HINT"))) return; - } - LinkOptHintsLoadCmd = Load.Ptr; } else if (Load.C.cmd == MachO::LC_DYLD_INFO || Load.C.cmd == MachO::LC_DYLD_INFO_ONLY) { // Multiple dyldinfo load commands diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size b/llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size new file mode 100644 index 000000000000..c0ea110bc6ee Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dataincode-bad-size differ diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize b/llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize new file mode 100644 index 000000000000..fd3ab6dc5dc4 Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dataincode-dataoff-datasize differ diff --git a/llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one b/llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one new file mode 100644 index 000000000000..383d0ec2a096 Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-dataincode-more-than-one differ diff --git a/llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff b/llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff new file mode 100644 index 000000000000..1b2b3d84f9ae Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-linkopthint-dataoff differ diff --git a/llvm/test/Object/Inputs/macho-invalid-linkopthint-small b/llvm/test/Object/Inputs/macho-invalid-linkopthint-small new file mode 100644 index 000000000000..5fe691982461 Binary files /dev/null and b/llvm/test/Object/Inputs/macho-invalid-linkopthint-small differ diff --git a/llvm/test/Object/macho-invalid.test b/llvm/test/Object/macho-invalid.test index 2162a88a52fb..91a325ad7d12 100644 --- a/llvm/test/Object/macho-invalid.test +++ b/llvm/test/Object/macho-invalid.test @@ -208,3 +208,19 @@ INVALID-DYSYMTAB-TOCOFF-LOCRELOFF: macho-invalid-dysymtab-locreloff': truncated RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dysymtab-locreloff-nlocrel 2>&1 | FileCheck -check-prefix INVALID-DYSYMTAB-TOCOFF-LOCRELOFF-NLOCREL %s INVALID-DYSYMTAB-TOCOFF-LOCRELOFF-NLOCREL: macho-invalid-dysymtab-locreloff-nlocrel': truncated or malformed object (locreloff field plus nlocrel field times sizeof(struct relocation_info) of LC_DYSYMTAB command 0 extends past the end of the file) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-more-than-one 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-MORE-THAN-ONE %s +INVALID-DATAINCODE-MORE-THAN-ONE: macho-invalid-dataincode-more-than-one': truncated or malformed object (more than one LC_DATA_IN_CODE command) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-linkopthint-small 2>&1 | FileCheck -check-prefix INVALID-LINKOPTHINT-SMALL %s +INVALID-LINKOPTHINT-SMALL: macho-invalid-linkopthint-small': truncated or malformed object (load command 0 LC_LINKER_OPTIMIZATION_HINT cmdsize too small) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-bad-size 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-BAD-SIZE %s +INVALID-DATAINCODE-BAD-SIZE: macho-invalid-dataincode-bad-size': truncated or malformed object (LC_DATA_IN_CODE command 0 has incorrect cmdsize) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-linkopthint-dataoff 2>&1 | FileCheck -check-prefix INVALID-LINKOPTHINT-DATAOFF %s +INVALID-LINKOPTHINT-DATAOFF: macho-invalid-linkopthint-dataoff': truncated or malformed object (dataoff field of LC_LINKER_OPTIMIZATION_HINT command 0 extends past the end of the file) + +RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dataincode-dataoff-datasize 2>&1 | FileCheck -check-prefix INVALID-DATAINCODE-DATAOFF-DATASIZE %s +INVALID-DATAINCODE-DATAOFF-DATASIZE: macho-invalid-dataincode-dataoff-datasize': truncated or malformed object (dataoff field plus datasize field of LC_DATA_IN_CODE command 0 extends past the end of the file) +