[Zucchini]: Fix bugs found by Apply fuzzer

Located by fuzzing ZTF Apply (WIP): https://chromium-review.googlesource.com/c/chromium/src/+/1072231 Found two fatal errors: - OffsetForKey always assumes a key is valid however, the validity of the key is not checked prior to the caller invoking the method. The caller also had no way to check validity if it was external to TargetPool. Fix: Add a method to check for key validity ahead of calling OffsetForKey. - ConvertToTargetLineCol for absolute references had a logic bug that resulted in attempting to dereference an invalid base::Optional Fix: Change the logic to avoid issue. Bug: 835341 Change-Id: I99c91741eef41dfaa3036af8e708eb3f0d5ca84a Reviewed-on: https://chromium-review.googlesource.com/1072272 Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org> Reviewed-by: Samuel Huang <huangs@chromium.org> Cr-Commit-Position: refs/heads/master@{#561642}

[Zucchini]: Fix bugs found by Apply fuzzer
Located by fuzzing ZTF Apply (WIP): https://chromium-review.googlesource.com/c/chromium/src/+/1072231 Found two fatal errors: - OffsetForKey always assumes a key is valid however, the validity of the key is not checked prior to the caller invoking the method. The caller also had no way to check validity if it was external to TargetPool. Fix: Add a method to check for key validity ahead of calling OffsetForKey. - ConvertToTargetLineCol for absolute references had a logic bug that resulted in attempting to dereference an invalid base::Optional Fix: Change the logic to avoid issue. Bug: 835341 Change-Id: I99c91741eef41dfaa3036af8e708eb3f0d5ca84a Reviewed-on: https://chromium-review.googlesource.com/1072272 Commit-Queue: Calder Kitagawa <ckitagawa@chromium.org> Reviewed-by: Samuel Huang <huangs@chromium.org> Cr-Commit-Position: refs/heads/master@{#561642}
4e3e49f9 · Calder Kitagawa · Commit Bot · 77d87185 · 4e3e49f9 · 4e3e49f9
Commit 4e3e49f9 authored May 24, 2018 by Calder Kitagawa Committed by Commit Bot May 24, 2018
3 changed files
--- a/components/zucchini/disassembler_ztf.cc
+++ b/components/zucchini/disassembler_ztf.cc
@@ -351,7 +351,7 @@ class ZtfReferenceWriter : public ReferenceWriter {
  // Returns true on success.
  bool ConvertToTargetLineCol(Reference reference, ztf::LineCol* out_lc) {
    auto temp_lc = translator_.OffsetToLineCol(reference.target);
-    if (!temp_lc.has_value() && translator_.IsValid(temp_lc.value()))
+    if (!temp_lc.has_value() || !translator_.IsValid(temp_lc.value()))
      return false;

    *out_lc = temp_lc.value();

--- a/components/zucchini/target_pool.h
+++ b/components/zucchini/target_pool.h
@@ -54,6 +54,9 @@ class TargetPool {
  // this class.
  offset_t OffsetForKey(key_t key) const { return targets_[key]; }

+  // Returns whether a particular key is valid.
+  bool KeyIsValid(key_t key) const { return key < targets_.size(); }
+
  // Uses |offset_mapper| to transform "old" |targets_| to "new" |targets_|,
  // resulting in sorted and unique targets.
  void FilterAndProject(const OffsetMapper& offset_mapper);

--- a/components/zucchini/zucchini_apply.cc
+++ b/components/zucchini/zucchini_apply.cc
@@ -151,6 +151,11 @@ bool ApplyReferencesCorrection(ExecutableType exe_type,
            LOG(ERROR) << "Error reading reference_delta";
            return false;
          }
+          const key_t key = expected_key + delta.value();
+          if (!targets.KeyIsValid(key)) {
+            LOG(ERROR) << "Invalid reference_delta";
+            return false;
+          }
          ref->target = targets.OffsetForKey(expected_key + delta.value());
          ref->location =
              ref->location - equivalence->src_offset + equivalence->dst_offset;