libxdk: added boundary checks for seeking

Author: koczkatamas

libxdk/target/BinaryReader.cpp

@@ -66,7 +66,7 @@ void BinaryReader::SeekToItem(uint64_t seeklist_offset, uint64_t item_idx) {
     throw ExpKitError("Seeking is already in progress. Call EndSeek() first.");
 
   seek_origin_offset_ = offset_;
-  offset_ = seeklist_offset;
+  SeekTo(seeklist_offset);
   auto value = ReadUInt();
   auto offset_size = (value & 0x3) + 1;
   auto item_count = value >> 2;
@@ -78,12 +78,12 @@ void BinaryReader::SeekToItem(uint64_t seeklist_offset, uint64_t item_idx) {
   auto hdr_offset = offset_;
   uint64_t item_offset = 0;
   if (item_idx != 0) {
-    offset_ += offset_size * (item_idx - 1);
+    Skip(offset_size * (item_idx - 1));
     item_offset = Uint(offset_size);
   }
 
-  // skip the seek list
-  offset_ = hdr_offset + offset_size * item_count + item_offset;
+  // skip the remaining seek list and jump to the item
+  Skip((item_count - item_idx) * offset_size + item_offset);
   DebugLog(
       "SeekToItem(): seeklist_offset=%u, item_idx=%u, offset_size=%u, "
       "item_count=%u, item_offset=%u, new offset=%u",
@@ -97,7 +97,7 @@ uint64_t BinaryReader::SeekableListCount() {
   auto offset_size = 1 << (hdr & 0x3); // 0=u1, 1=u2, 2=u4, 3=u8
   auto item_count = hdr >> 2;
   // skip the seek list
-  offset_ += offset_size * item_count;
+  Skip(offset_size * item_count);
   return item_count;
 }
 
@@ -157,6 +157,11 @@ uint16_t BinaryReader::ReadU16() { return *(uint16_t*)Read(2); }
 
 uint8_t BinaryReader::ReadU8() { return *(uint8_t*)Read(1); }
 
+void BinaryReader::Skip(uint64_t len) {
+  SizeCheck(len);
+  offset_ += len;
+}
+
 uint8_t* BinaryReader::Read(uint16_t len) {
   SizeCheck(len);
   uint8_t* ptr = &data_.data()[offset_];
@@ -171,6 +176,14 @@ void BinaryReader::SizeCheck(uint64_t len) {
         offset_, len, EndOffset());
 }
 
+void BinaryReader::SeekTo(uint64_t offset) {
+  if (offset >= EndOffset())
+    throw ExpKitError(
+        "tried to read seek outside of the buffer: from_offset=%lu, to_offset=%lu, struct_end=%lu",
+        offset_, offset, EndOffset());
+  offset_ = offset;
+}
+
 uint64_t BinaryReader::RemainingBytes() { return EndOffset() - offset_; }
 
 uint64_t BinaryReader::EndOffset() {

libxdk/target/BinaryReader.h

@@ -46,6 +46,20 @@ class BinaryReader {
     */
     void SizeCheck(uint64_t len);
 
+    /**
+    * @brief Skip len amount of bytes.
+    * @param len The number of bytes to skip.
+    * @throws ExpKitError if there are not enough remaining bytes.
+    */
+    void Skip(uint64_t len);
+
+    /**
+    * @brief Seek to offset.
+    * @param offset The offset within the file to seek.
+    * @throws ExpKitError if the offset is out-of-bounds.
+    */
+    void SeekTo(uint64_t offset);
+
     /**
     * @brief Reads a block of raw bytes from the buffer.
     * @param len The number of bytes to read.

libxdk/target/KxdbParser.cpp

@@ -92,12 +92,12 @@ std::vector<Target> KxdbParser::ParseTargets(
   if (offset_targets_ == 0) ParseHeader();
 
   std::vector<Target> result;
-  offset_ = offset_targets_;
+  SeekTo(offset_targets_);
   auto num_targets = SeekableListCount(); // by_version
   auto offsets = SeekableListOffsets();
-  DebugLog("ParseTarget(): offset = 0x%x, num_targets=%u, offset[0] = 0x%x", offset_targets_, num_targets, offsets[0]);
+  DebugLog("ParseTarget(): offset = 0x%x, num_targets=%u", offset_targets_, num_targets);
   for (uint32_t i_target = 0; i_target < num_targets; i_target++) {
-    offset_ = offsets[i_target];
+    SeekTo(offsets.at(i_target));
     const char* t_distro = ZStr();
     const char* t_release = ZStr();
     const char* t_version = ZStr();
@@ -293,7 +293,7 @@ void KxdbParser::ParseRopActionsHeader() {
     DebugLog("rop_action[%d], num_args = %d, desc = '%s'", i, num_args, desc);
 
     RopActionMeta ra(desc);
-    for (int j = 0; j < num_args; j++) {
+    for (uint64_t j = 0; j < num_args; j++) {
       auto arg_name = ZStr();
       auto flags = ReadU8();
       bool required = (flags & 0x1) == 0x1;