From c37698deddf747df9e4cebd3157e8ec09fb11373 Mon Sep 17 00:00:00 2001 From: midipix Date: Jan 25 2024 04:24:00 +0000 Subject: slbt_ar_parse_primary_armap_bsd_32(): perform strict armap validation. --- diff --git a/include/slibtool/slibtool.h b/include/slibtool/slibtool.h index 5095ebb..8b5429a 100644 --- a/include/slibtool/slibtool.h +++ b/include/slibtool/slibtool.h @@ -110,6 +110,9 @@ enum slbt_custom_error { SLBT_ERR_AR_MISPLACED_ARMAP_MEMBER, SLBT_ERR_AR_NO_ACTION_SPECIFIED, SLBT_ERR_AR_NO_INPUT_SPECIFIED, + SLBT_ERR_AR_INVALID_ARMAP_SIZE_OF_REFS, + SLBT_ERR_AR_INVALID_ARMAP_SIZE_OF_STRS, + SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE, }; /* execution modes */ diff --git a/src/arbits/slbt_archive_meta.c b/src/arbits/slbt_archive_meta.c index 260ca76..50b4605 100644 --- a/src/arbits/slbt_archive_meta.c +++ b/src/arbits/slbt_archive_meta.c @@ -237,9 +237,14 @@ static int slbt_ar_parse_primary_armap_bsd_32( struct ar_raw_armap_bsd_32 * armap; struct ar_meta_member_info * memberp; struct ar_meta_armap_common_32 *armapref; + uint32_t attr; uint32_t nsyms; + uint32_t nstrs; + uint32_t sizeofrefs_le; + uint32_t sizeofrefs_be; uint32_t sizeofrefs; uint32_t sizeofstrs; + const char * ch; unsigned char * uch; unsigned char (*mark)[0x04]; @@ -253,17 +258,53 @@ static int slbt_ar_parse_primary_armap_bsd_32( armap->ar_first_name_offset = mark; - sizeofrefs = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0]; - nsyms = sizeofrefs / sizeof(struct ar_raw_armap_ref_32); - mark += (sizeofrefs / sizeof(*mark)); + sizeofrefs_le = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0]; + sizeofrefs_be = (uch[0] << 24) + (uch[1] << 16) + (uch[2] << 8) + uch[3]; + + if (sizeofrefs_le < memberp->ar_object_size - sizeof(*mark)) { + sizeofrefs = sizeofrefs_le; + attr = AR_ARMAP_ATTR_LE_32; + + } else if (sizeofrefs_be < memberp->ar_object_size - sizeof(*mark)) { + sizeofrefs = sizeofrefs_be; + attr = AR_ARMAP_ATTR_BE_32; + } else { + return SLBT_CUSTOM_ERROR( + dctx, + SLBT_ERR_AR_INVALID_ARMAP_SIZE_OF_REFS); + } + + nsyms = sizeofrefs / sizeof(struct ar_raw_armap_ref_32); + mark += (sizeofrefs / sizeof(*mark)); armap->ar_size_of_strs = mark; uch = *mark++; - sizeofstrs = (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0]; + sizeofstrs = (attr == AR_ARMAP_ATTR_LE_32) + ? (uch[3] << 24) + (uch[2] << 16) + (uch[1] << 8) + uch[0] + : (uch[0] << 24) + (uch[1] << 16) + (uch[2] << 8) + uch[3]; + + if (sizeofstrs > memberp->ar_object_size - 2*sizeof(*mark) - sizeofrefs) + return SLBT_CUSTOM_ERROR( + dctx, + SLBT_ERR_AR_INVALID_ARMAP_SIZE_OF_STRS); m->symstrs = (const char *)mark; + if (nsyms && !m->symstrs[0]) + return SLBT_CUSTOM_ERROR( + dctx, + SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE); + + for (ch=&m->symstrs[1],nstrs=0; ch<&m->symstrs[sizeofstrs]; ch++) + if (!ch[0] && ch[-1]) + nstrs++; + + if (nstrs != nsyms) + return SLBT_CUSTOM_ERROR( + dctx, + SLBT_ERR_AR_INVALID_ARMAP_STRING_TABLE); + if (!(m->symstrv = calloc(nsyms + 1,sizeof(const char *)))) return SLBT_SYSTEM_ERROR(dctx,0); @@ -272,7 +313,7 @@ static int slbt_ar_parse_primary_armap_bsd_32( armapref = &m->armaps.armap_common_32; armapref->ar_member = memberp; armapref->ar_armap_bsd = armap; - armapref->ar_armap_attr = AR_ARMAP_ATTR_BSD | AR_ARMAP_ATTR_LE_32; + armapref->ar_armap_attr = AR_ARMAP_ATTR_BSD | attr; armapref->ar_num_of_symbols = nsyms; armapref->ar_size_of_refs = sizeofrefs; armapref->ar_size_of_strs = sizeofstrs;