libsframe: adjust an incorrect check in flip_sframe

When sframe_encoder_write needs to flip the buffer containing the SFrame section before writing, it is not necessary that the SFrame FDES are in the order of their sfde_func_start_fre_off. On the contrary, SFrame FDEs will be sorted in the order of their start address. So, remove this incorrect assumption which is basically assuming that the last sfde_func_start_fre_off seen will help determine the end of the flipped buffer. The function now keeps track of the bytes_flipped and then compares it with the expected value. Also, added two more checks at appropriate places: - check that the SFrame FDE read is within bounds - check that the SFrame FRE read is within bounds libsframe/ * sframe.c (flip_sframe): Adjust an incorrect check. Add other checks to ensure reads are within the buffer size.

libsframe: adjust an incorrect check in flip_sframe
When sframe_encoder_write needs to flip the buffer containing the SFrame section before writing, it is not necessary that the SFrame FDES are in the order of their sfde_func_start_fre_off. On the contrary, SFrame FDEs will be sorted in the order of their start address. So, remove this incorrect assumption which is basically assuming that the last sfde_func_start_fre_off seen will help determine the end of the flipped buffer. The function now keeps track of the bytes_flipped and then compares it with the expected value. Also, added two more checks at appropriate places: - check that the SFrame FDE read is within bounds - check that the SFrame FRE read is within bounds libsframe/ * sframe.c (flip_sframe): Adjust an incorrect check. Add other checks to ensure reads are within the buffer size.
cd9aea32 · Indu Bhagat · 47bb5b33 · cd9aea32
Commit cd9aea32 authored 2 years ago by Indu Bhagat
--- a/libsframe/sframe.c
+++ b/libsframe/sframe.c
@@ -401,7 +401,10 @@ flip_sframe (char *frame_buf, size_t buf_size, uint32_t to_foreign)
  unsigned int fre_type = 0;
  uint32_t fre_offset = 0;
  size_t esz = 0;
+  size_t hdrsz = 0;
  int err = 0;
+  /* For error checking.  */
+  size_t bytes_flipped = 0;

  /* Header must be in host endianness at this time.  */
  ihp = (sframe_header *)frame_buf;
@@ -411,14 +414,18 @@ flip_sframe (char *frame_buf, size_t buf_size, uint32_t to_foreign)

  /* The contents of the SFrame header are safe to read.  Get the number of
     FDEs and the first FDE in the buffer.  */
+  hdrsz = sframe_get_hdr_size (ihp);
  num_fdes = ihp->sfh_num_fdes;
-  fdes = frame_buf + sframe_get_hdr_size (ihp) + ihp->sfh_fdeoff;
+  fdes = frame_buf + hdrsz + ihp->sfh_fdeoff;
  fdep = (sframe_func_desc_entry *)fdes;

  j = 0;
  prev_frep_index = 0;
  for (i = 0; i < num_fdes; fdep++, i++)
    {
+      if ((char*)fdep >= (frame_buf + buf_size))
+	goto bad;
+
      if (to_foreign)
 	{
 	  num_fres = fdep->sfde_func_num_fres;
@@ -427,6 +434,7 @@ flip_sframe (char *frame_buf, size_t buf_size, uint32_t to_foreign)
 	}

      flip_fde (fdep);
+      bytes_flipped += sizeof (sframe_func_desc_entry);

      if (!to_foreign)
 	{
@@ -441,20 +449,16 @@ flip_sframe (char *frame_buf, size_t buf_size, uint32_t to_foreign)
 	{
 	  if (flip_fre (fp, fre_type, &esz))
 	    goto bad;
+	  bytes_flipped += esz;

-	  if (esz == 0)
+	  if (esz == 0 || esz > buf_size)
 	    goto bad;
 	  fp += esz;
 	}
      prev_frep_index = j;
    }
-  /* All FREs must have been endian flipped by now.  */
-  if (j != ihp->sfh_num_fres)
-    goto bad;
-  /* Contents, if any, must have been processed by now.
-     Recall that .sframe section with just a SFrame header may be generated by
-     GAS if no SFrame FDEs were found for the input file.  */
-  if (ihp->sfh_num_fres && ((frame_buf + buf_size) != (void*)fp))
+  /* All FDEs and FREs must have been endian flipped by now.  */
+  if ((j != ihp->sfh_num_fres) || (bytes_flipped != (buf_size - hdrsz)))
    goto bad;

  /* Success.  */