Detect malformed LC_LINKER_COMMANDs in Mach-O binaries Summary: llvm-objdump can be tricked into reading beyond valid memory and segfaulting if LC_LINKER_COMMAND strings are not null terminated. libObject does have code to validate the integrity of the LC_LINKER_COMMAND struct, but this validator improperly assumes linker command strings are null terminated. The solution is to report an error if a string extends beyond the end of the LC_LINKER_COMMAND struct. Reviewers: lhames, pete Reviewed By: pete Subscribers: rupprecht, llvm-commits Tags: #llvm Differential Revision: https://reviews.llvm.org/D59179 llvm-svn: 355851

commit: 76d66123b27d7e49fa15a347c006ef9454069614 [log] [tgz]
author: Michael Trent <mtrent@apple.com> Mon Mar 11 18:29:25 2019 +0000
committer: Michael Trent <mtrent@apple.com> Mon Mar 11 18:29:25 2019 +0000
tree: faa882e0e9f5960b8a1a9148b8494790ea8096f7
parent: 0d6f681292d5ae8ed5df0cc29eaf95928d264d43 [diff] [blame]
diff --git a/llvm/lib/Object/MachOObjectFile.cpp b/llvm/lib/Object/MachOObjectFile.cpp
index c68bb5d..456c636 100644
--- a/llvm/lib/Object/MachOObjectFile.cpp
+++ b/llvm/lib/Object/MachOObjectFile.cpp

@@ -918,6 +918,10 @@
     if (left > 0) {
       i++;
       uint32_t NullPos = StringRef(string, left).find('\0');
+      if (0xffffffff == NullPos)
+        return malformedError("load command " + Twine(LoadCommandIndex) +
+                              " LC_LINKER_OPTION string #" + Twine(i) +
+                              " is not NULL terminated");
       uint32_t len = std::min(NullPos, left) + 1;
       string += len;
       left -= len;
commit	76d66123b27d7e49fa15a347c006ef9454069614	[log] [tgz]
author	Michael Trent <mtrent@apple.com>	Mon Mar 11 18:29:25 2019 +0000
committer	Michael Trent <mtrent@apple.com>	Mon Mar 11 18:29:25 2019 +0000
tree	faa882e0e9f5960b8a1a9148b8494790ea8096f7
parent	0d6f681292d5ae8ed5df0cc29eaf95928d264d43 [diff] [blame]