archive: fix size overflow in name index parser (#455)

kkent030315 · dapa · web-flow · commit 9c9ded7346a6 · 2025-04-08T01:48:14.000-07:00
Co-Authored-By: dapa &lt;dapa@github&gt;
diff --git a/src/archive/mod.rs b/src/archive/mod.rs
@@ -375,6 +375,11 @@ impl<'a> NameIndex<'a> {
         // This is a total hack, because strtab returns "" if idx == 0, need to change
         // but previous behavior might rely on this, as ELF strtab's have "" at 0th index...
         let hacked_size = size + 1;
+        if hacked_size < 2 {
+            return Err(Error::Malformed(format!(
+                "Size ({hacked_size:#x}) too small"
+            )));
+        }
         let strtab = strtab::Strtab::parse(buffer, *offset - 1, hacked_size, b'\n')?;
         // precious time was lost when refactoring because strtab::parse doesn't update the mutable seek...
         *offset += hacked_size - 2;
@@ -639,6 +644,19 @@ mod tests {
         assert_eq!(Member::bsd_filename_length("#1/1 A"), None);
     }
 
+    /// https://github.com/m4b/goblin/issues/450
+    const MALFORMED_ARCHIVE_INDEX_TOO_SMALL: [u8; 132] = [
+        0x21, 0x3C, 0x61, 0x72, 0x63, 0x68, 0x3E, 0x0A, 0x55, 0x52, 0x09, 0x5C, 0x09, 0x09, 0x10,
+        0x27, 0x2B, 0x09, 0x0A, 0x53, 0x54, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09,
+        0x09, 0x09, 0x09, 0x09, 0x2A, 0x29, 0x2A, 0x09, 0xF7, 0x08, 0x09, 0x09, 0x00, 0x01, 0x01,
+        0x01, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x01, 0x00, 0x31, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x08, 0x2F, 0x2F, 0x20, 0x20, 0x20,
+        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x09,
+        0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x23, 0x42, 0x21, 0x09, 0xF7, 0x08, 0x20, 0x20, 0x00,
+        0x3C, 0x20, 0x20, 0x20, 0x00, 0x20, 0x20, 0x20, 0x20, 0x09, 0x09, 0x01, 0x01, 0x30, 0x0D,
+        0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x09, 0x00, 0x00, 0x27, 0x55,
+    ];
+
     /// https://github.com/m4b/goblin/issues/450
     const MALFORMED_ARCHIVE: [u8; 212] = [
         0x21, 0x3C, 0x61, 0x72, 0x63, 0x68, 0x3E, 0x0A, 0x2F, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
@@ -658,6 +676,17 @@ mod tests {
         0x14, 0x34,
     ];
 
+    #[test]
+    fn parse_name_index_too_small() {
+        let res = Archive::parse(&MALFORMED_ARCHIVE_INDEX_TOO_SMALL);
+        assert_eq!(res.is_err(), true);
+        if let Err(Error::Malformed(msg)) = res {
+            assert_eq!(msg, "Size (0x1) too small");
+        } else {
+            panic!("Expected a Malformed error but got {:?}", res);
+        }
+    }
+
     #[test]
     fn parse_malformed_archive() {
         let res = Archive::parse(&MALFORMED_ARCHIVE);
