asan: wasm: Out-of-memory
authorAlan Modra <amodra@gmail.com>
Sun, 8 Mar 2020 23:03:49 +0000 (09:33 +1030)
committerAlan Modra <amodra@gmail.com>
Sun, 8 Mar 2020 23:40:36 +0000 (10:10 +1030)
* wasm-module.c (wasm_scan): Sanity check file name length
before allocating memory.  Move common section setup code.  Do
without bfd_tell to calculate section size.

bfd/ChangeLog
bfd/wasm-module.c

index 0df437b2ffd16be2a3758d36efe7b56d38405e59..371e505392d561e3d69530b3e534d901e59206d7 100644 (file)
@@ -1,3 +1,9 @@
+2020-03-09  Alan Modra  <amodra@gmail.com>
+
+       * wasm-module.c (wasm_scan): Sanity check file name length
+       before allocating memory.  Move common section setup code.  Do
+       without bfd_tell to calculate section size.
+
 2020-03-06  Nick Clifton  <nickc@redhat.com>
 
        * elf.c (_bfd_elf_set_section_contents): Replace call to abort
index ac78692816e9c9a1c05f3d14ea511437e0b78a79..66ac2d1874b5bcb71d584772868b95d40cc5b689 100644 (file)
@@ -406,30 +406,33 @@ wasm_scan (bfd *abfd)
          if (bfdsec == NULL)
            goto error_return;
 
-         bfdsec->vma = vma;
-         bfdsec->lma = vma;
          bfdsec->size = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE);
          if (error)
            goto error_return;
-         bfdsec->filepos = bfd_tell (abfd);
-         bfdsec->alignment_power = 0;
        }
       else
        {
          bfd_vma payload_len;
-         file_ptr section_start;
          bfd_vma namelen;
          char *name;
          char *prefix = WASM_SECTION_PREFIX;
          size_t prefixlen = strlen (prefix);
+         ufile_ptr filesize;
 
          payload_len = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE);
          if (error)
            goto error_return;
-         section_start = bfd_tell (abfd);
          namelen = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE);
-         if (error || namelen > payload_len)
+         if (error || bytes_read > payload_len
+             || namelen > payload_len - bytes_read)
            goto error_return;
+         payload_len -= namelen + bytes_read;
+         filesize = bfd_get_file_size (abfd);
+         if (filesize != 0 && namelen > filesize)
+           {
+             bfd_set_error (bfd_error_file_truncated);
+             return FALSE;
+           }
          name = bfd_alloc (abfd, namelen + prefixlen + 1);
          if (!name)
            goto error_return;
@@ -443,13 +446,13 @@ wasm_scan (bfd *abfd)
          if (bfdsec == NULL)
            goto error_return;
 
-         bfdsec->vma = vma;
-         bfdsec->lma = vma;
-         bfdsec->filepos = bfd_tell (abfd);
-         bfdsec->size = section_start + payload_len - bfdsec->filepos;
-         bfdsec->alignment_power = 0;
+         bfdsec->size = payload_len;
        }
 
+      bfdsec->vma = vma;
+      bfdsec->lma = vma;
+      bfdsec->alignment_power = 0;
+      bfdsec->filepos = bfd_tell (abfd);
       if (bfdsec->size != 0)
        {
          bfdsec->contents = _bfd_alloc_and_read (abfd, bfdsec->size,