diff options
author | Calder Kitagawa <ckitagawa@google.com> | 2018-04-05 12:56:50 +0000 |
---|---|---|
committer | Edward Lesmes <ehmaldonado@google.com> | 2021-07-23 22:02:45 +0000 |
commit | 9e74a61b87dd26ed0f39c41399aedcff279c3f85 (patch) | |
tree | 2cfe4617f2fca00920f37be63f14ab972f14dab2 /reloc_utils.cc | |
parent | fff1ca312c453481375168c8b0d40a42c45a47cb (diff) | |
download | zucchini-9e74a61b87dd26ed0f39c41399aedcff279c3f85.tar.gz |
[Zucchini] Fix bugs found by Windows PE dissasembler fuzzing
reloc_utils.cc contained an infinite looping and a crashing
out-of-bounds behavior due to unsafe input. This resolves these "fatal"
errors.
Fuzzing has found no other infinite loops or crashes for the Windows PE
dissasembler nor has ASAN detected any other out-of-bounds memory
issues. The fuzzer will be committed separately once it is more
performant (i.e. >= 1000 exec/s).
Change-Id: Ieb07f77fb7b062238b4ce1587bcde45a4d3b7788
Reviewed-on: https://chromium-review.googlesource.com/996488
Reviewed-by: Samuel Huang <huangs@chromium.org>
Reviewed-by: Greg Thompson <grt@chromium.org>
Commit-Queue: Calder Kitagawa <ckitagawa@google.com>
Cr-Commit-Position: refs/heads/master@{#548397}
NOKEYCHECK=True
GitOrigin-RevId: 975444866735e5e44b024707a7ff28582b8383cd
Diffstat (limited to 'reloc_utils.cc')
-rw-r--r-- | reloc_utils.cc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/reloc_utils.cc b/reloc_utils.cc index d21a0d3..bfad98e 100644 --- a/reloc_utils.cc +++ b/reloc_utils.cc @@ -118,7 +118,10 @@ bool RelocRvaReaderWin32::LoadRelocBlock( const auto& header = header_buf.read<pe::RelocHeader>(0); rva_hi_bits_ = header.rva_hi; uint32_t block_size = header.size; - DCHECK_GE(block_size, sizeof(pe::RelocHeader)); + if (block_size < sizeof(pe::RelocHeader)) + return false; + if ((block_size - sizeof(pe::RelocHeader)) % kRelocUnitSize != 0) + return false; cur_reloc_units_ = BufferSource(block_begin, block_size); cur_reloc_units_.Skip(sizeof(pe::RelocHeader)); return true; |