[Courgette]: Fix applying non-zero offset 255 to null pointer.

Report: "courgette/disassembler_win32.cc:241:44: runtime error: applying non-zero offset 255 to null pointer" courgette::DisassemblerWin32::ParseRelocs courgette::DisassemblerWin32::ExtractAbs32Locations courgette::Disassembler::CreateProgram The fix seems to move bounds check on |relocs_start| before computing |relocs_end|. Bug: 1027893 Change-Id: Iec3f81ab0db077467d28dd8e122aa33d92d52a89 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1960548 Commit-Queue: Etienne Pierre-Doray <etiennep@chromium.org> Reviewed-by: Samuel Huang <huangs@chromium.org> Cr-Commit-Position: refs/heads/master@{#723563}
Denger-Network · Dec 10, 2019 · e058629 · e058629
1 parent 9144c09
commit e058629
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/courgette/disassembler_win32.cc b/courgette/disassembler_win32.cc
@@ -238,13 +238,14 @@ bool DisassemblerWin32::ParseRelocs(std::vector<RVA>* relocs) {
   // at http://msdn.microsoft.com/en-us/library/ms809762.aspx
 
   const uint8_t* relocs_start = RVAToPointer(base_relocation_table_.address_);
-  const uint8_t* relocs_end = relocs_start + relocs_size;
+  if (relocs_start == nullptr || relocs_start < start() ||
+      relocs_start >= end())
+    return Bad(".relocs outside image");
 
   // Make sure entire base relocation table is within the buffer.
-  if (relocs_start < start() || relocs_start >= end() ||
-      relocs_end <= start() || relocs_end > end()) {
+  if (relocs_size > static_cast<size_t>(end() - relocs_start))
     return Bad(".relocs outside image");
-  }
+  const uint8_t* relocs_end = relocs_start + relocs_size;
 
   const uint8_t* block = relocs_start;