From 2f57795b8b3cb2c416e91a16bc932480248e30d7 Mon Sep 17 00:00:00 2001 From: Alan Modra Date: Mon, 9 Mar 2020 09:33:49 +1030 Subject: [PATCH] asan: wasm: Out-of-memory * wasm-module.c (wasm_scan): Sanity check file name length before allocating memory. Move common section setup code. Do without bfd_tell to calculate section size. --- bfd/ChangeLog | 6 ++++++ bfd/wasm-module.c | 27 +++++++++++++++------------ 2 files changed, 21 insertions(+), 12 deletions(-) diff --git a/bfd/ChangeLog b/bfd/ChangeLog index 0df437b2ffd..371e505392d 100644 --- a/bfd/ChangeLog +++ b/bfd/ChangeLog @@ -1,3 +1,9 @@ +2020-03-09 Alan Modra + + * wasm-module.c (wasm_scan): Sanity check file name length + before allocating memory. Move common section setup code. Do + without bfd_tell to calculate section size. + 2020-03-06 Nick Clifton * elf.c (_bfd_elf_set_section_contents): Replace call to abort diff --git a/bfd/wasm-module.c b/bfd/wasm-module.c index ac78692816e..66ac2d1874b 100644 --- a/bfd/wasm-module.c +++ b/bfd/wasm-module.c @@ -406,30 +406,33 @@ wasm_scan (bfd *abfd) if (bfdsec == NULL) goto error_return; - bfdsec->vma = vma; - bfdsec->lma = vma; bfdsec->size = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE); if (error) goto error_return; - bfdsec->filepos = bfd_tell (abfd); - bfdsec->alignment_power = 0; } else { bfd_vma payload_len; - file_ptr section_start; bfd_vma namelen; char *name; char *prefix = WASM_SECTION_PREFIX; size_t prefixlen = strlen (prefix); + ufile_ptr filesize; payload_len = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE); if (error) goto error_return; - section_start = bfd_tell (abfd); namelen = wasm_read_leb128 (abfd, &error, &bytes_read, FALSE); - if (error || namelen > payload_len) + if (error || bytes_read > payload_len + || namelen > payload_len - bytes_read) goto error_return; + payload_len -= namelen + bytes_read; + filesize = bfd_get_file_size (abfd); + if (filesize != 0 && namelen > filesize) + { + bfd_set_error (bfd_error_file_truncated); + return FALSE; + } name = bfd_alloc (abfd, namelen + prefixlen + 1); if (!name) goto error_return; @@ -443,13 +446,13 @@ wasm_scan (bfd *abfd) if (bfdsec == NULL) goto error_return; - bfdsec->vma = vma; - bfdsec->lma = vma; - bfdsec->filepos = bfd_tell (abfd); - bfdsec->size = section_start + payload_len - bfdsec->filepos; - bfdsec->alignment_power = 0; + bfdsec->size = payload_len; } + bfdsec->vma = vma; + bfdsec->lma = vma; + bfdsec->alignment_power = 0; + bfdsec->filepos = bfd_tell (abfd); if (bfdsec->size != 0) { bfdsec->contents = _bfd_alloc_and_read (abfd, bfdsec->size, -- 2.30.2