[Zucchini] Fix offset outside image case

The fuzzer found a pathological case when the section size is 0 but the
offset is outside of image. This resulted in header parsing skipping
the section since the size was 0; however, later processing creates a
region of size 0 that is outside the image causing checks to fail. The
solution here is to check if the offset is outside the image and the
size is 0. This suggests that the data is ill formed and we should
reject the image entirely.

Bug: 1019271
Change-Id: If47d099aa4f919b097d4e15804048eaf64a59201
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1903886
Reviewed-by: Etienne Pierre-Doray <etiennep@chromium.org>
Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org>
Cr-Commit-Position: refs/heads/master@{#713572}
NOKEYCHECK=True
GitOrigin-RevId: 74eb15eee824427077620f88b2e4759c5bb2e221

1 files changed, 7 insertions, 1 deletions

diff --git a/disassembler_elf.cc b/disassembler_elf.cc
index ff3b085..2405374 100644
--- a/disassembler_elf.cc
+++ b/disassembler_elf.cc
@@ -208,8 +208,14 @@ bool DisassemblerElf<Traits>::ParseHeader() {
 
     // Skip empty sections. These don't affect |offset_bound|, and don't
     // contribute to RVA-offset mapping.
-    if (section->sh_size == 0)
+    if (section->sh_size == 0) {
+      // Skipping empty sections is only safe if the |sh_offset| is within the
+      // image. Fail if this is not true as the input is ill-formed.
+      if (section->sh_offset >= image_.size())
+        return false;
+
       continue;
+    }
 
     // Extract dimensions to 32-bit integers to facilitate conversion. Range of
     // values was ensured above when checking that the section is bounded.