Merge pull request #510 from fitzgen/overflows-and-div-by-zero-in-deb…

…ug-aranges Fix some overflows and division-by-zero in `.debug_aranges` handling
gimli-rs · May 19, 2020 · 33ea786 · 33ea786
2 parents 6d3ca24 + 74b8ebe
commit 33ea786
Showing 1 changed file with 84 additions and 1 deletion.
diff --git a/src/read/aranges.rs b/src/read/aranges.rs
@@ -98,7 +98,13 @@ impl<R: Reader> LookupParser<R> for ArangeParser<R> {
         // The first tuple following the header in each set begins at an offset that is
         // a multiple of the size of a single tuple (that is, the size of a segment selector
         // plus twice the size of an address).
-        let tuple_length = 2 * address_size + segment_size;
+        let tuple_length = address_size
+            .checked_mul(2)
+            .and_then(|x| x.checked_add(segment_size))
+            .ok_or(Error::InvalidAddressRange)?;
+        if tuple_length == 0 {
+            return Err(Error::InvalidAddressRange)?;
+        }
         let padding = if header_length % tuple_length == 0 {
             0
         } else {
@@ -322,6 +328,83 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_parse_header_overflow_error() {
+        #[rustfmt::skip]
+        let buf = [
+            // 32-bit length = 32.
+            0x20, 0x00, 0x00, 0x00,
+            // Version.
+            0x02, 0x00,
+            // Offset.
+            0x01, 0x02, 0x03, 0x04,
+            // Address size.
+            0xff,
+            // Segment size.
+            0xff,
+            // Length to here = 12, tuple length = 20.
+            // Padding to tuple length multiple = 4.
+            0x10, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+
+            // Dummy arange tuple data.
+            0x20, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+
+            // Dummy next arange.
+            0x30, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+        ];
+
+        let rest = &mut EndianSlice::new(&buf, LittleEndian);
+
+        let error = ArangeParser::parse_header(rest).expect_err("should fail to parse header");
+        assert_eq!(error, Error::InvalidAddressRange);
+    }
+
+    #[test]
+    fn test_parse_header_div_by_zero_error() {
+        #[rustfmt::skip]
+        let buf = [
+            // 32-bit length = 32.
+            0x20, 0x00, 0x00, 0x00,
+            // Version.
+            0x02, 0x00,
+            // Offset.
+            0x01, 0x02, 0x03, 0x04,
+            // Address size = 0. Could cause a division by zero if we aren't
+            // careful.
+            0x00,
+            // Segment size.
+            0x00,
+            // Length to here = 12, tuple length = 20.
+            // Padding to tuple length multiple = 4.
+            0x10, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+
+            // Dummy arange tuple data.
+            0x20, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+
+            // Dummy next arange.
+            0x30, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+            0x00, 0x00, 0x00, 0x00,
+        ];
+
+        let rest = &mut EndianSlice::new(&buf, LittleEndian);
+
+        let error = ArangeParser::parse_header(rest).expect_err("should fail to parse header");
+        assert_eq!(error, Error::InvalidAddressRange);
+    }
+
     #[test]
     fn test_parse_entry_ok() {
         let header = ArangeHeader {