Next set of additional error checks for invalid Mach-O files for the

other load commands that use the MachO::dylinker_command type but not used in llvm libObject code but used in llvm tool code. This includes LC_ID_DYLINKER, LC_LOAD_DYLINKER and LC_DYLD_ENVIRONMENT load commands. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@282553 91177308-0d34-0410-b5e6-96231b3b80d8
simoatze · Sep 27, 2016 · 4bc0cbd · 4bc0cbd
1 parent c682447
commit 4bc0cbd
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 0 deletions.
diff --git a/lib/Object/MachOObjectFile.cpp b/lib/Object/MachOObjectFile.cpp
@@ -625,6 +625,35 @@ static Error checkDylibIdCommand(const MachOObjectFile *Obj,
   return Error::success();
 }
 
+static Error checkDyldCommand(const MachOObjectFile *Obj,
+                              const MachOObjectFile::LoadCommandInfo &Load,
+                              uint32_t LoadCommandIndex, const char *CmdName) {
+  if (Load.C.cmdsize < sizeof(MachO::dylinker_command))
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " cmdsize too small");
+  MachO::dylinker_command D = getStruct<MachO::dylinker_command>(Obj, Load.Ptr);
+  if (D.name < sizeof(MachO::dylinker_command))
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " name.offset field too small, not past "
+                          "the end of the dylinker_command struct");
+  if (D.name >= D.cmdsize)
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " name.offset field extends past the end "
+                          "of the load command");
+  // Make sure there is a null between the starting offset of the name and
+  // the end of the load command.
+  uint32_t i;
+  const char *P = (const char *)Load.Ptr;
+  for (i = D.name; i < D.cmdsize; i++)
+    if (P[i] == '\0')
+      break;
+  if (i >= D.cmdsize)
+    return malformedError("load command " + Twine(LoadCommandIndex) + " " +
+                          CmdName + " dyld name extends past the end of the "
+                          "load command");
+  return Error::success();
+}
+
 Expected<std::unique_ptr<MachOObjectFile>>
 MachOObjectFile::create(MemoryBufferRef Object, bool IsLittleEndian,
                         bool Is64Bits) {
@@ -777,6 +806,15 @@ MachOObjectFile::MachOObjectFile(MemoryBufferRef Object, bool IsLittleEndian,
       if ((Err = checkDylibCommand(this, Load, I, "LC_LOAD_UPWARD_DYLIB")))
         return;
       Libraries.push_back(Load.Ptr);
+    } else if (Load.C.cmd == MachO::LC_ID_DYLINKER) {
+      if ((Err = checkDyldCommand(this, Load, I, "LC_ID_DYLINKER")))
+        return;
+    } else if (Load.C.cmd == MachO::LC_LOAD_DYLINKER) {
+      if ((Err = checkDyldCommand(this, Load, I, "LC_LOAD_DYLINKER")))
+        return;
+    } else if (Load.C.cmd == MachO::LC_DYLD_ENVIRONMENT) {
+      if ((Err = checkDyldCommand(this, Load, I, "LC_DYLD_ENVIRONMENT")))
+        return;
     }
     if (I < LoadCommandCount - 1) {
       if (auto LoadOrErr = getNextLoadCommandInfo(this, I, Load))

diff --git a/test/Object/Inputs/macho-invalid-dyld-name_offset-toobig b/test/Object/Inputs/macho-invalid-dyld-name_offset-toobig
diff --git a/test/Object/Inputs/macho-invalid-dyld-name_toobig b/test/Object/Inputs/macho-invalid-dyld-name_toobig
diff --git a/test/Object/Inputs/macho-invalid-dyld-small b/test/Object/Inputs/macho-invalid-dyld-small
diff --git a/test/Object/macho-invalid.test b/test/Object/macho-invalid.test
@@ -298,3 +298,12 @@ INVALID-SPLITINFO-DATAOFF-DATASIZE: macho-invalid-splitinfo-dataoff-datasize': t
 
 RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dylib_code_sign_drs-bad-size  2>&1 | FileCheck -check-prefix INVALID-DYLIB_CODE_SIGN_DRS-BAD-SIZE %s
 INVALID-DYLIB_CODE_SIGN_DRS-BAD-SIZE: macho-invalid-dylib_code_sign_drs-bad-size': truncated or malformed object (LC_DYLIB_CODE_SIGN_DRS command 0 has incorrect cmdsize)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dyld-small  2>&1 | FileCheck -check-prefix INVALID-DYLD-SMALL %s
+INVALID-DYLD-SMALL: macho-invalid-dyld-small': truncated or malformed object (load command 0 LC_ID_DYLINKER cmdsize too small)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dyld-name_offset-toobig  2>&1 | FileCheck -check-prefix INVALID-DYLD-NAME_OFFSET-TOOBIG %s
+INVALID-DYLD-NAME_OFFSET-TOOBIG: macho-invalid-dyld-name_offset-toobig': truncated or malformed object (load command 0 LC_LOAD_DYLINKER name.offset field extends past the end of the load command)
+
+RUN: not llvm-objdump -macho -private-headers %p/Inputs/macho-invalid-dyld-name_toobig 2>&1 | FileCheck -check-prefix INVALID-DYLD-NAME_TOOBIG %s
+INVALID-DYLD-NAME_TOOBIG: macho-invalid-dyld-name_toobig': truncated or malformed object (load command 0 LC_DYLD_ENVIRONMENT dyld name extends past the end of the load command)