This patch fixes a heap-buffer-overflow when a malformed Mach-O has a
load command who's size extends past the end of the binary.
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3225
Differential D37439
[MachO] Prevent heap overflow when load command extends past EOF JDevlieghere on Sep 4 2017, 8:23 AM. Authored by
Details This patch fixes a heap-buffer-overflow when a malformed Mach-O has a Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3225
Diff Detail
Event TimelineComment Actions Looks good (but I don't know this code). I've run the fuzzer manually and the most frequent failure looks like this: LLVM ERROR: Invalid data was encountered while parsing the file #7 0x560c25 in llvm::object::RelocVisitor::getELFAddend(llvm::object::RelocationRef) Object/RelocVisitor.h:120:7 (and a few similar ones) Are these something you could fix as well? Comment Actions Thanks Kostya!
I'll have a look if I can find some spare time, but I'll be focussing on the Mach-O stuff mostly.
Comment Actions Thank you very much for addressing this! |
What happens on a 32-bit platform when cmdsize is so large that the addition wraps around? Or is cmdsize < 32bit ?