[WebAssembly] Add bounds check in parseCodeSection

[DavidKorczynski]

This is needed as otherwise Ctx.Ptr will be incremented to a position outside it's available buffer, which is being used to read values e.g.

llvm-project/llvm/lib/Object/WasmObjectFile.cpp

Line 1469 in 966d564

uint32_t Size = readVaruint32(Ctx);

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28856

[github-actions]

Thank you for submitting a Pull Request (PR) to the LLVM Project!

This PR will be automatically labeled and the relevant teams will be
notified.

If you wish to, you can add reviewers by using the "Reviewers" section on this page.

If this is not working for you, it is probably because you do not have write
permissions for the repository. In which case you can instead tag reviewers by
name in a comment by using @ followed by their GitHub username.

If you have received no comments on your PR for a week, you can request a review
by "ping"ing the PR by adding a comment “Ping”. The common courtesy "ping" rate
is once a week. Please remember that you are asking for valuable time from other developers.

If you have further questions, they may be answered by the LLVM GitHub User Guide.

You can also ask questions in a comment on this PR, on the LLVM Discord or on the forums.

[llvmbot]

@llvm/pr-subscribers-backend-webassembly

@llvm/pr-subscribers-llvm-binary-utilities

Author: None (DavidKorczynski)

Changes

This is needed as otherwise Ctx.Ptr will be incremented to a position outside it's available buffer, which is being used to read values e.g.

llvm-project/llvm/lib/Object/WasmObjectFile.cpp

Line 1469 in 966d564

uint32_t Size = readVaruint32(Ctx);

Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28856

---

Full diff: https://github.com/llvm/llvm-project/pull/76407.diff

1 Files Affected:

• (modified) llvm/lib/Object/WasmObjectFile.cpp (+5)

diff --git a/llvm/lib/Object/WasmObjectFile.cpp b/llvm/lib/Object/WasmObjectFile.cpp index dfe86a45df3227..40665d686cf939 100644 --- a/llvm/lib/Object/WasmObjectFile.cpp +++ b/llvm/lib/Object/WasmObjectFile.cpp @@ -1484,6 +1484,11 @@ Error WasmObjectFile::parseCodeSection(ReadContext &Ctx) { } uint32_t BodySize = FunctionEnd - Ctx.Ptr; + // Ensure that Function is within Ctx's buffer. + if (Ctx.Ptr + BodySize > Ctx.End) { + return make_error<GenericBinaryError>("Function extends beyond buffer", + object_error::parse_failed); + } Function.Body = ArrayRef<uint8_t>(Ctx.Ptr, BodySize); // This will be set later when reading in the linking metadata section. Function.Comdat = UINT32_MAX; 

[aheejin]

Thanks!