wader/fq
1
1
Fork 0
mirror of https://github.com/wader/fq.git synced 2024-11-28 03:02:55 +03:00
Code Issues Projects Releases Wiki Activity

elf,fuzz: Error on too large string table

Browse Source 
Fixes alloc/hang of giant string
This commit is contained in:
Mattias Wadman 2022-07-22 22:22:33 +02:00
parent e50a225f9d
commit 40481f6692
3 changed files with 41 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
format/elf/elf.go
View File

@ -518,6 +518,15 @@ type sectionHeader struct {
symbols []symbol
}
const maxStrTabSize = 100_000_000
func readStrTab(d *decode.D, firstBit int64, nBytes int64) string {
if nBytes > maxStrTabSize {
d.Errorf("string table too large %d > %d", nBytes, maxStrTabSize)
}
return string(d.BytesRange(firstBit, int(nBytes)))
}
func elfReadSectionHeaders(d *decode.D, ec *elfContext) {
for i := 0; i < ec.shNum; i++ {
d.SeekAbs(ec.shOff + int64(i)*ec.shEntSize)
@ -571,7 +580,7 @@ func elfReadSectionHeaders(d *decode.D, ec *elfContext) {
}
if i, ok := ec.sectionIndexByAddr(sh.dc.strTabPtr); ok {
strTabSh := ec.sections[i]
sh.dc.strTab = string(d.BytesRange(strTabSh.offset, int(sh.dc.strSzVal/8)))
sh.dc.strTab = readStrTab(d, strTabSh.offset, sh.dc.strSzVal/8)
}
}
@ -581,12 +590,13 @@ func elfReadSectionHeaders(d *decode.D, ec *elfContext) {
d.Fatalf("can't find shStrNdx %d", ec.shStrNdx)
}
sh := ec.sections[ec.shStrNdx]
shStrTab = string(d.BytesRange(sh.offset, int(sh.size/8)))
shStrTab = readStrTab(d, sh.offset, sh.size/8)
for _, sh := range ec.sections {
if sh.typ != SHT_STRTAB {
continue
}
ec.strTabMap[strIndexNull(sh.name, shStrTab)] = string(d.BytesRange(sh.offset, int(sh.size/8)))
ec.strTabMap[strIndexNull(sh.name, shStrTab)] = readStrTab(d, sh.offset, sh.size/8)
}
}

BIN
format/elf/testdata/regression/bigstrtab vendored Normal file
View File

Binary file not shown.

28
format/elf/testdata/regression/bigstrtab.fqtest vendored Normal file
View File

@ -0,0 +1,28 @@
# should error on giant strtab
$ fq -d elf d bigstrtab
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: bigstrtab (elf)
| | | error: elf: error at position 0x4740: string table too large 67675799683072 > 100000000
| | | header{}:
| | | ident{}:
0x0000|7f 45 4c 46 |.ELF | magic: raw bits (valid)
0x0000| 02 | . | class: 64 (2)
0x0000| 01 | . | data: "little_endian" (1)
0x0000| 01 | . | version: 1
0x0000| 00 | . | os_abi: "sysv" (0)
0x0000| 00 | . | abi_version: 0
0x0000| 00 00 00 00 00 00 00| .......| pad: raw bits (all zero)
0x0010|03 00 |.. | type: "dyn" (0x3)
0x0010| 3e 00 | >. | machine: "x86_64" (0x3e) (AMD x86-64)
0x0010| 01 00 00 00 | .... | version: 1
0x0010| 70 10 00 00 00 00 00 00| p.......| entry: 4208
0x0020|40 00 00 00 00 00 00 00 |@....... | phoff: 64
0x0020| c0 3e 00 00 00 00 00 00| .>......| shoff: 16064
0x0030|00 00 00 00 |.... | flags: 0
0x0030| 40 00 | @. | ehsize: 64
0x0030| 38 00 | 8. | phentsize: 56
0x0030| 0c 00 | .. | phnum: 12
0x0030| 40 00 | @. | shentsize: 64
0x0030| 22 00 | ". | shnum: 34
0x0030| 21 00| !.| shstrndx: 33
0x0040|06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00|........@.......| unknown0: raw bits
* |until 0x474b.7 (end) (18188) | |