summaryrefslogtreecommitdiff
path: root/src/arbits
diff options
context:
space:
mode:
authormidipix <writeonce@midipix.org>2024-01-25 04:24:00 +0000
committermidipix <writeonce@midipix.org>2024-01-25 04:24:00 +0000
commitc37698deddf747df9e4cebd3157e8ec09fb11373 (patch)
treef53c4856f7c2f4ec1680b005d32610fe1eec3cb5 /src/arbits
parenta470d5887690957835de60c3cdd6b94841201e70 (diff)
downloadslibtool-c37698deddf747df9e4cebd3157e8ec09fb11373.tar.bz2
slibtool-c37698deddf747df9e4cebd3157e8ec09fb11373.tar.xz
slbt_ar_parse_primary_armap_bsd_32(): perform strict armap validation.
Diffstat (limited to 'src/arbits')
-rw-r--r--src/arbits/slbt_archive_meta.c51
1 files changed, 46 insertions, 5 deletions
diff --git a/src/arbits/slbt_archive_meta.c b/src/arbits/slbt_archive_meta.c
index 260ca76..50b4605 100644
--- a/src/arbits/slbt_archive_meta.c
+++ b/src/arbits/slbt_archive_meta.c
@@ -237,9 +237,14 @@ static int slbt_ar_parse_primary_armap_bsd_32(
struct ar_raw_armap_bsd_32 * armap;
struct ar_meta_member_info * memberp;
struct ar_meta_armap_common_32 *armapref;
+ uint32_t attr;
uint32_t nsyms;
+ uint32_t nstrs;
+ uint32_t sizeofrefs_le;
+ uint32_t sizeofrefs_be;
uint32_t sizeofrefs;
uint32_t sizeofstrs;
+ const char * ch;
unsigned char * uch;
unsigned char (*mark)[0x04];
@@ -253,17 +258,53 @@ static int slbt_ar_parse_primary_armap_bsd_32(
armap->ar_first_name_offset = mark;
- sizeofrefs = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0];
- nsyms = sizeofrefs / sizeof(struct ar_raw_armap_ref_32);
- mark += (sizeofrefs / sizeof(*mark));
+ sizeofrefs_le = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0];
+ sizeofrefs_be = (uch[0] << 24) + (uch[1] << 16) + (uch[2] << 8) + uch[3];
+
+ if (sizeofrefs_le < memberp->ar_object_size - sizeof(*mark)) {
+ sizeofrefs = sizeofrefs_le;
+ attr = AR_ARMAP_ATTR_LE_32;
+
+ } else if (sizeofrefs_be < memberp->ar_object_size - sizeof(*mark)) {
+ sizeofrefs = sizeofrefs_be;
+ attr = AR_ARMAP_ATTR_BE_32;
+ } else {
+ return SLBT_CUSTOM_ERROR(
+ dctx,
+ SLBT_ERR_AR_INVALID_ARMAP_SIZE_OF_REFS);
+ }
+
+ nsyms = sizeofrefs / sizeof(struct ar_raw_armap_ref_32);
+ mark += (sizeofrefs / sizeof(*mark));
armap->ar_size_of_strs = mark;
uch = *mark++;
- sizeofstrs = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0];
+ sizeofstrs = (attr == AR_ARMAP_ATTR_LE_32)
+ ? (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0]
+ : (uch[0] << 24) + (uch[1] << 16) + (uch[2] << 8) + uch[3];
+
+ if (sizeofstrs > memberp->ar_object_size - 2*sizeof(*mark) - sizeofrefs)
+ return SLBT_CUSTOM_ERROR(
+ dctx,
+ SLBT_ERR_AR_INVALID_ARMAP_SIZE_OF_STRS);
m->symstrs = (const char *)mark;
+ if (nsyms && !m->symstrs[0])
+ return SLBT_CUSTOM_ERROR(
+ dctx,
+ SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
+
+ for (ch=&m->symstrs[1],nstrs=0; ch<&m->symstrs[sizeofstrs]; ch++)
+ if (!ch[0] && ch[-1])
+ nstrs++;
+
+ if (nstrs != nsyms)
+ return SLBT_CUSTOM_ERROR(
+ dctx,
+ SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
+
if (!(m->symstrv = calloc(nsyms + 1,sizeof(const char *))))
return SLBT_SYSTEM_ERROR(dctx,0);
@@ -272,7 +313,7 @@ static int slbt_ar_parse_primary_armap_bsd_32(
armapref = &m->armaps.armap_common_32;
armapref->ar_member = memberp;
armapref->ar_armap_bsd = armap;
- armapref->ar_armap_attr = AR_ARMAP_ATTR_BSD | AR_ARMAP_ATTR_LE_32;
+ armapref->ar_armap_attr = AR_ARMAP_ATTR_BSD | attr;
armapref->ar_num_of_symbols = nsyms;
armapref->ar_size_of_refs = sizeofrefs;
armapref->ar_size_of_strs = sizeofstrs;