simpleperf: Check map range in MemAccess.

When map data is invalid, the map range may be much larger than MemoryBuffer. This may cause SEGV. So add check to make sure the MemoryBuffer can cover the map range. Bug: 261990181 Test: run libsimpleperf_report_fuzzer Change-Id: Ie0e7eafe8809ec2eb804b16d608aa7af6bb2390c
author: Yabin Cui <yabinc@google.com> 2023-01-13 16:12:25 -0800
committer: Yabin Cui <yabinc@google.com> 2023-01-13 16:20:09 -0800
commit: bc5b789c5e4d39ec06bb320c187e53e80dac2ab3 (patch)
tree: 9499016b2138506791d755b105dc4a1014fbef05
parent: d9ebe5109db6deaa698a3b3afd91f9c0a39373ca (diff)
download: extras-bc5b789c5e4d39ec06bb320c187e53e80dac2ab3.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/simpleperf/ETMDecoder.cpp b/simpleperf/ETMDecoder.cpp
index 7c2928c0..5e2f92e0 100644
--- a/simpleperf/ETMDecoder.cpp
+++ b/simpleperf/ETMDecoder.cpp
@@ -289,9 +289,14 @@ class MemAccess : public ITargetMemAccess {
       // addr.
       if (!map->in_kernel) {
         data.buffer_map = map;
-        data.buffer = memory == nullptr ? nullptr : (memory->getBufferStart() + map->pgoff);
         data.buffer_start = map->start_addr;
         data.buffer_end = map->get_end_addr();
+        if (memory != nullptr && memory->getBufferSize() > map->pgoff &&
+            (memory->getBufferSize() - map->pgoff >= map->len)) {
+          data.buffer = memory->getBufferStart() + map->pgoff;
+        } else {
+          data.buffer = nullptr;
+        }
       }
     }
     *num_bytes = copy_size;
author	Yabin Cui <yabinc@google.com>	2023-01-13 16:12:25 -0800
committer	Yabin Cui <yabinc@google.com>	2023-01-13 16:20:09 -0800
commit	bc5b789c5e4d39ec06bb320c187e53e80dac2ab3 (patch)
tree	9499016b2138506791d755b105dc4a1014fbef05
parent	d9ebe5109db6deaa698a3b3afd91f9c0a39373ca (diff)
download	extras-bc5b789c5e4d39ec06bb320c187e53e80dac2ab3.tar.gz