[WebAssembly] Object: Add more error checking for object file reading

This should address some the assert failures the fuzzer has been finding such as: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6719 Differential Revision: https://reviews.llvm.org/D47046 llvm-svn: 332769
llvm · May 18, 2018 · 4bbc6b5 · 4bbc6b5
1 parent 0ca8c08
commit 4bbc6b5
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp
@@ -112,19 +112,22 @@ static int64_t readLEB128(const uint8_t *&Ptr) {
 
 static uint8_t readVaruint1(const uint8_t *&Ptr) {
   int64_t result = readLEB128(Ptr);
-  assert(result <= VARUINT1_MAX && result >= 0);
+  if (result > VARUINT1_MAX || result < 0)
+    report_fatal_error("LEB is outside Varuint1 range");
   return result;
 }
 
 static int32_t readVarint32(const uint8_t *&Ptr) {
   int64_t result = readLEB128(Ptr);
-  assert(result <= INT32_MAX && result >= INT32_MIN);
+  if (result > INT32_MAX || result < INT32_MIN)
+    report_fatal_error("LEB is outside Varint32 range");
   return result;
 }
 
 static uint32_t readVaruint32(const uint8_t *&Ptr) {
   uint64_t result = readULEB128(Ptr);
-  assert(result <= UINT32_MAX);
+  if (result > UINT32_MAX)
+    report_fatal_error("LEB is outside Varuint32 range");
   return result;
 }
 
@@ -955,6 +958,9 @@ Error WasmObjectFile::parseDataSection(const uint8_t *Ptr, const uint8_t *End) {
     if (Error Err = readInitExpr(Segment.Data.Offset, Ptr))
       return Err;
     uint32_t Size = readVaruint32(Ptr);
+    if (Size > End - Ptr)
+      return make_error<GenericBinaryError>("Invalid segment size",
+                                            object_error::parse_failed);
     Segment.Data.Content = ArrayRef<uint8_t>(Ptr, Size);
     // The rest of these Data fields are set later, when reading in the linking
     // metadata section.