Skip to content

GitLab

"plugins/git@web.lueluesay.top:root/oh-my-zsh.git" did not exist on "b28665aebb4c1b07a57890eb59551bc51d0acf37"
Commit eda2b422 authored by Luc Verhaegen's avatar Luc Verhaegen Committed by Alejandro Mery
Browse files

fexc: add some sanity checking to bin reading 


Signed-off-by: default avatarLuc Verhaegen <libv@skynet.be>
parent bdc13f4b
Hide whitespace changes
Inline Side-by-side
script_bin.c
View file @ eda2b422
...@@ -210,17 +210,35 @@ int script_generate_bin(void *bin, size_t UNUSED(bin_size), ...@@ -210,17 +210,35 @@ int script_generate_bin(void *bin, size_t UNUSED(bin_size),
/* /*
* decompiler * decompiler
*/ */
static int decompile_section(void *bin, size_t UNUSED(bin_size), static int decompile_section(void *bin, size_t bin_size,
const char *filename, const char *filename,
struct script_bin_section *section, struct script_bin_section *section,
struct script *script) struct script *script)
{ {
struct script_bin_entry *entry = PTR(bin, section->offset<<2); struct script_bin_entry *entry;
struct script_section *s; struct script_section *s;
int size;
if ((section->offset < 0) || (section->offset > (int)(bin_size / 4))) {
pr_err("Malformed data: invalid section offset: %d\n",
section->offset);
return 0;
}
size = bin_size - 4 * section->offset;
if ((section->length <= 0) ||
(section->length > (size / (int)sizeof(struct script_bin_entry)))) {
pr_err("Malformed data: invalid section length: %d\n",
section->length);
return 0;
}
if ((s = script_section_new(script, section->name)) == NULL) if ((s = script_section_new(script, section->name)) == NULL)
goto malloc_error; goto malloc_error;
entry = PTR(bin, section->offset<<2);
for (int i = section->length; i--; entry++) { for (int i = section->length; i--; entry++) {
void *data = PTR(bin, entry->offset<<2); void *data = PTR(bin, entry->offset<<2);
unsigned type, words; unsigned type, words;
...@@ -289,6 +307,9 @@ failure: ...@@ -289,6 +307,9 @@ failure:
return 0; return 0;
} }
#define SCRIPT_BIN_VERSION_LIMIT 0x10
#define SCRIPT_BIN_SECTION_LIMIT 0x100
int script_decompile_bin(void *bin, size_t bin_size, int script_decompile_bin(void *bin, size_t bin_size,
const char *filename, const char *filename,
struct script *script) struct script *script)
...@@ -302,6 +323,20 @@ int script_decompile_bin(void *bin, size_t bin_size, ...@@ -302,6 +323,20 @@ int script_decompile_bin(void *bin, size_t bin_size,
pr_info("%s: size: %zu (%d sections)\n", filename, pr_info("%s: size: %zu (%d sections)\n", filename,
bin_size, head->sections); bin_size, head->sections);
if (head->sections > SCRIPT_BIN_SECTION_LIMIT) {
pr_err("Malformed data: too many sections (%d).\n",
head->sections);
return 0;
}
if ((head->version[0] > SCRIPT_BIN_VERSION_LIMIT) ||
(head->version[1] > SCRIPT_BIN_VERSION_LIMIT) ||
(head->version[2] > SCRIPT_BIN_VERSION_LIMIT)) {
pr_err("Malformed data: version %d.%d.%d.\n",
head->version[0], head->version[1], head->version[2]);
return 0;
}
/* TODO: SANITY: compare head.sections with bin_size */ /* TODO: SANITY: compare head.sections with bin_size */
for (i=0; i < head->sections; i++) { for (i=0; i < head->sections; i++) {
struct script_bin_section *section = &head->section[i]; struct script_bin_section *section = &head->section[i];
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment