From 1c4fed5505c91cd00f738e5459ab37d0a495c090 Mon Sep 17 00:00:00 2001
From: midipix <writeonce@midipix.org>
Date: Thu, 25 Jan 2024 04:38:42 +0000
Subject: slbt_ar_parse_primary_armap_bsd_64(): perform strict armap
 validation.

---
 src/arbits/slbt_archive_meta.c | 55 +++++++++++++++++++++++++++++++++++++-----
 1 file changed, 49 insertions(+), 6 deletions(-)

(limited to 'src/arbits')

diff --git a/src/arbits/slbt_archive_meta.c b/src/arbits/slbt_archive_meta.c
index 50b4605..2505a46 100644
--- a/src/arbits/slbt_archive_meta.c
+++ b/src/arbits/slbt_archive_meta.c
@@ -333,11 +333,16 @@ static int slbt_ar_parse_primary_armap_bsd_64(
 	struct ar_raw_armap_bsd_64 *    armap;
 	struct ar_meta_member_info *    memberp;
 	struct ar_meta_armap_common_64 *armapref;
+	uint32_t                        attr;
 	uint64_t                        u64_lo;
 	uint64_t                        u64_hi;
 	uint64_t                        nsyms;
+	uint64_t                        nstrs;
+	uint64_t                        sizeofrefs_le;
+	uint64_t                        sizeofrefs_be;
 	uint64_t                        sizeofrefs;
 	uint64_t                        sizeofstrs;
+	const char *                    ch;
 	unsigned char *                 uch;
 	unsigned char                   (*mark)[0x08];
 
@@ -354,19 +359,57 @@ static int slbt_ar_parse_primary_armap_bsd_64(
 	u64_lo = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0];
 	u64_hi = (uch[7] << 24) + (uch[6] << 16) + (uch[5] << 8) + uch[4];
 
-	sizeofrefs = u64_lo + (u64_hi << 32);
-	nsyms      = sizeofrefs / sizeof(struct ar_raw_armap_ref_64);
-	mark      += (sizeofrefs / sizeof(*mark));
+	sizeofrefs_le = u64_lo + (u64_hi << 32);
+
+	u64_hi = (uch[0] << 24) + (uch[1] << 16) + (uch[2] << 8) + uch[3];
+	u64_lo = (uch[4] << 24) + (uch[5] << 16) + (uch[6] << 8) + uch[7];
+
+	sizeofrefs_be = (u64_hi << 32) + u64_lo;
+
+	if (sizeofrefs_le < memberp->ar_object_size - sizeof(*mark)) {
+		sizeofrefs = sizeofrefs_le;
+		attr       = AR_ARMAP_ATTR_LE_64;
+
+	} else if (sizeofrefs_be < memberp->ar_object_size - sizeof(*mark)) {
+		sizeofrefs = sizeofrefs_be;
+		attr       = AR_ARMAP_ATTR_BE_64;
+	} else {
+		return SLBT_CUSTOM_ERROR(
+			dctx,
+			SLBT_ERR_AR_INVALID_ARMAP_SIZE_OF_REFS);
+	}
+
+	nsyms  = sizeofrefs / sizeof(struct ar_raw_armap_ref_64);
+	mark  += (sizeofrefs / sizeof(*mark));
 
 	armap->ar_size_of_strs = mark;
 	uch = *mark++;
 
-	u64_lo = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0];
-	u64_hi = (uch[7] << 24) + (uch[6] << 16) + (uch[5] << 8) + uch[4];
+	if (attr == AR_ARMAP_ATTR_LE_64) {
+		u64_lo = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0];
+		u64_hi = (uch[7] << 24) + (uch[6] << 16) + (uch[5] << 8) + uch[4];
+	} else {
+		u64_hi = (uch[0] << 24) + (uch[1] << 16) + (uch[2] << 8) + uch[3];
+		u64_lo = (uch[4] << 24) + (uch[5] << 16) + (uch[6] << 8) + uch[7];
+	}
 
 	sizeofstrs = u64_lo + (u64_hi << 32);
 	m->symstrs = (const char *)mark;
 
+	if (nsyms && !m->symstrs[0])
+		return SLBT_CUSTOM_ERROR(
+			dctx,
+			SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
+
+	for (ch=&m->symstrs[1],nstrs=0; ch<&m->symstrs[sizeofstrs]; ch++)
+		if (!ch[0] && ch[-1])
+			nstrs++;
+
+	if (nstrs != nsyms)
+		return SLBT_CUSTOM_ERROR(
+			dctx,
+			SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE);
+
 	if (!(m->symstrv = calloc(nsyms + 1,sizeof(const char *))))
 		return SLBT_SYSTEM_ERROR(dctx,0);
 
@@ -375,7 +418,7 @@ static int slbt_ar_parse_primary_armap_bsd_64(
 	armapref = &m->armaps.armap_common_64;
 	armapref->ar_member         = memberp;
 	armapref->ar_armap_bsd      = armap;
-	armapref->ar_armap_attr     = AR_ARMAP_ATTR_BSD | AR_ARMAP_ATTR_LE_64;
+	armapref->ar_armap_attr     = AR_ARMAP_ATTR_BSD | attr;
 	armapref->ar_num_of_symbols = nsyms;
 	armapref->ar_size_of_refs   = sizeofrefs;
 	armapref->ar_size_of_strs   = sizeofstrs;
-- 
cgit v1.2.3