[Zucchini] Restrict PE rel32 scan size to min(virtual_size, size_of_raw_data).

For PE files, rel32 scanning previously scans .text data spanning
|size_of_raw_data| bytes. However, it's possible for |virtual_size| <
|size_of_raw_data|. In this case, any rel32 references found in the
data beyond |virtual_size| would have an invalid RVA.

The problem does not cause crashes, but leads to bogus rel32 locations
to be emitted, if their bogus target happen to be valid.

This CL fixes the issue by reducing range of rel32 scan size to
|min(virtual_size, size_of_raw_data)|, thereby avoiding extracting
these invalid rel32 references.

A DCHECK is added to ParseAndStoreRel32() to validate extracted rel32
locations for {DisassemblerWin32, DisassemblerElfIntel}. This guards
against coding error (bad data should have been blocked).

Bug: 935283
Change-Id: I1587f62cb61f6cbda892b26e3d8c08cc31e0528e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1535753
Reviewed-by: Etienne Pierre-Doray <etiennep@chromium.org>
Commit-Queue: Samuel Huang <huangs@chromium.org>
Cr-Commit-Position: refs/heads/master@{#643848}
NOKEYCHECK=True
GitOrigin-RevId: 96528abcb3e87ac56ded12f935c3443f3c96eebf

1 files changed, 1 insertions, 0 deletions

diff --git a/disassembler_elf.cc b/disassembler_elf.cc
index 474f43e..1d75cb3 100644
--- a/disassembler_elf.cc
+++ b/disassembler_elf.cc
@@ -380,6 +380,7 @@ void DisassemblerElfIntel<Traits>::ParseExecSection(
       offset_t rel32_offset =
           base::checked_cast<offset_t>(rel32->location - image_.begin());
       rva_t rel32_rva = rva_t(rel32_offset + from_offset_to_rva);
+      DCHECK_NE(rel32_rva, kInvalidRva);
       rva_t target_rva = rel32_rva + 4 + image_.read<uint32_t>(rel32_offset);
       if (target_rva_checker.IsValid(target_rva) &&
           (rel32->can_point_outside_section ||