Skip to content

Commit 43ae7b4

Browse files
committed
[Objective-C] Fix misc crashes for bad input binaries
Fixes Vector35/binaryninja#1470
1 parent 6ab0d3d commit 43ae7b4

1 file changed

Lines changed: 21 additions & 2 deletions

File tree

objectivec/objc.cpp

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,10 @@
66

77
#define RELEASE_ASSERT(condition) ((condition) ? (void)0 : (std::abort(), (void)0))
88

9+
#define MAX_PROTOCOL_COUNT 0x1000
10+
#define MAX_METHOD_LIST_COUNT 0x1000
11+
#define MAX_IVAR_LIST_COUNT 0x1000
12+
913
using namespace BinaryNinja;
1014

1115
namespace {
@@ -847,6 +851,11 @@ void ObjCProcessor::LoadProtocols(ObjCReader* reader, Ref<Section> listSection)
847851
"protoProtocols_" + protocolName, protocol.protocols, true);
848852
reader->Seek(protocol.protocols);
849853
uint32_t count = reader->Read64();
854+
if (count > MAX_PROTOCOL_COUNT)
855+
{
856+
m_logger->LogWarn("List of protocols at 0x%llx has too large a count of 0x%x, skipping...", protocol.protocols, count);
857+
continue;
858+
}
850859
view_ptr_t addr = reader->GetOffset();
851860
for (uint32_t j = 0; j < count; j++)
852861
{
@@ -928,7 +937,7 @@ void ObjCProcessor::ReadListOfMethodLists(ObjCReader* reader, ClassBase& cls, st
928937
head.entsizeAndFlags = reader->Read32();
929938
head.count = reader->Read32();
930939

931-
if (head.count > 0x1000)
940+
if (head.count > MAX_METHOD_LIST_COUNT)
932941
{
933942
m_logger->LogError("List of method lists at 0x%llx has an invalid count of 0x%x", start, head.count);
934943
return;
@@ -962,7 +971,7 @@ void ObjCProcessor::ReadMethodList(ObjCReader* reader, ClassBase& cls, std::stri
962971
head.entsizeAndFlags = reader->Read32();
963972
head.count = reader->Read32();
964973

965-
if (head.count > 0x1000)
974+
if (head.count > MAX_METHOD_LIST_COUNT)
966975
{
967976
m_logger->LogError("Method list at 0x%llx has an invalid count of 0x%x", start, head.count);
968977
return;
@@ -1066,6 +1075,11 @@ void ObjCProcessor::ReadIvarList(ObjCReader* reader, ClassBase& cls, std::string
10661075
ivar_list_t head;
10671076
head.entsizeAndFlags = reader->Read32();
10681077
head.count = reader->Read32();
1078+
if (head.count > MAX_IVAR_LIST_COUNT)
1079+
{
1080+
m_logger->LogWarn("Ivar list at 0x%llx has an invalid count of 0x%x, skipping..", start, head.count);
1081+
return;
1082+
}
10691083
auto addressSize = m_data->GetAddressSize();
10701084
DefineObjCSymbol(DataSymbol, m_typeNames.ivarList, "ivar_list_" + std::string(name), start, true);
10711085
for (unsigned i = 0; i < head.count; i++)
@@ -1681,6 +1695,11 @@ void ObjCProcessor::ProcessCFStrings()
16811695
uint64_t flags = reader->ReadPointer();
16821696
auto strLoc = ReadPointerAccountingForRelocations(reader.get());
16831697
auto size = reader->ReadPointer();
1698+
if (reader->GetOffset() + size > cfstrings->GetEnd())
1699+
{
1700+
m_logger->LogWarn("CFString at 0x%llx has invalid size 0x%llx, skipping...", i, size);
1701+
continue;
1702+
}
16841703
std::string str;
16851704
if (flags & 0b10000) // UTF16
16861705
{

0 commit comments

Comments
 (0)