[Object/ELF] - Do not crash on invalid section index.

George Rimar · George Rimar · commit 71f3c1921a8c · 2016-10-17T09:30:06.000Z
If object has wrong (large) string table index and also incorrect large value for amount of sections in total, then section index passes the check: if (Index >= getNumSections()) return object_error::invalid_section_index; But result pointer then is far after end of file data, what result in a crash. Differential revision: https://reviews.llvm.org/D25081 llvm-svn: 284369
diff --git a/llvm/include/llvm/Object/ELF.h b/llvm/include/llvm/Object/ELF.h
@@ -399,9 +399,11 @@ ELFFile<ELFT>::getSection(uint32_t Index) const {
   if (Index >= getNumSections())
     return object_error::invalid_section_index;
 
-  return reinterpret_cast<const Elf_Shdr *>(
-      reinterpret_cast<const char *>(SectionHeaderTable) +
-      (Index * Header->e_shentsize));
+  const uint8_t *Addr = reinterpret_cast<const uint8_t *>(SectionHeaderTable) +
+                        (Index * Header->e_shentsize);
+  if (Addr >= base() + getBufSize())
+    return object_error::invalid_section_index;
+  return reinterpret_cast<const Elf_Shdr *>(Addr);
 }
 
 template <class ELFT>
diff --git a/llvm/test/Object/Inputs/invalid-section-index2.elf b/llvm/test/Object/Inputs/invalid-section-index2.elf
diff --git a/llvm/test/Object/invalid.test b/llvm/test/Object/invalid.test
@@ -41,7 +41,7 @@ RUN: not llvm-readobj --dyn-symbols %p/Inputs/invalid-sh_entsize.elf 2>&1 | File
 INVALID-DYNSYM-SIZE: Invalid entity size
 
 RUN: not llvm-readobj -t %p/Inputs/invalid-section-index.elf 2>&1 | FileCheck --check-prefix=INVALID-SECTION-INDEX %s
-
+RUN: not llvm-readobj -t %p/Inputs/invalid-section-index2.elf 2>&1 | FileCheck --check-prefix=INVALID-SECTION-INDEX %s
 INVALID-SECTION-INDEX: Invalid section index
 
 RUN: not llvm-readobj -s %p/Inputs/invalid-section-size.elf 2>&1 | FileCheck --check-prefix=INVALID-SECTION-SIZE %s
