Master/upx
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Validate Mach_segment_command.cmdsize; CERT-FI id:000000,sig:11,src:000000,op:havoc,rep:2

Browse Source
This commit is contained in:
John Reiser
2015-05-08 19:45:05 -07:00
parent 82a51f35ea
commit 0151b3f9b3
1 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/p_mach.cpp
+12 -6
View File
@@ -1259,12 +1259,15 @@ void PackMachBase<T>::unpack(OutputFile *fo)
unsigned const lc_seg = lc_segment[sizeof(Addr)>>3];
fi->seek(0, SEEK_SET);
fi->readx(&mhdri, sizeof(mhdri));
if (!fo // -t (test) mode
&& (MH_MAGIC + (sizeof(Addr)>>3)) != mhdri.magic
if ((MH_MAGIC + (sizeof(Addr)>>3)) != mhdri.magic
&& Mach_fat_header::FAT_MAGIC != mhdri.magic) {
throwCantUnpack("file header corrupted");
}
rawmseg = (Mach_segment_command *)new char[(unsigned) mhdri.sizeofcmds];
unsigned const sz_cmds = mhdri.sizeofcmds;
if ((sizeof(mhdri) + sz_cmds) > fi->st_size()) {
throwCantUnpack("file header corrupted");
}
rawmseg = (Mach_segment_command *)new char[sz_cmds];
fi->readx(rawmseg, mhdri.sizeofcmds);
// FIXME forgot space left for LC_CODE_SIGNATURE;
@@ -1295,10 +1298,13 @@ void PackMachBase<T>::unpack(OutputFile *fo)
unsigned const ncmds = mhdr->ncmds;
msegcmd = new Mach_segment_command[ncmds];
unsigned char *ptr = (unsigned char *)(1+mhdr);
unsigned char const *ptr = (unsigned char const *)(1+mhdr);
for (unsigned j= 0; j < ncmds; ++j) {
msegcmd[j] = *(Mach_segment_command *)ptr;
ptr += (unsigned) ((Mach_segment_command *)ptr)->cmdsize;
msegcmd[j] = *(Mach_segment_command const *)ptr;
ptr += (unsigned) ((Mach_segment_command const *)ptr)->cmdsize;
if ((ptr - (unsigned char const *)(1+mhdr)) > fi->st_size()) {
throwCantUnpack("cmdsize");
}
}
// Put LC_SEGMENT together at the beginning, ascending by .vmaddr.