From fb2fc0f4dc2516a06b59913b7a5cf4472024b6c8 Mon Sep 17 00:00:00 2001
From: Dmitry Vyukov <dvyukov@google.com>
Date: Sun, 8 Jul 2018 22:43:41 +0200
Subject: prog: fix pointer validation

Query size after validating the object itself,
otherwise size can panic on corrupted object.
---
 prog/validation.go | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/prog/validation.go b/prog/validation.go
index b38afc874..148640650 100644
--- a/prog/validation.go
+++ b/prog/validation.go
@@ -221,15 +221,6 @@ func (arg *UnionArg) validate(ctx *validCtx) error {
 }
 
 func (arg *PointerArg) validate(ctx *validCtx) error {
-	maxMem := ctx.target.NumPages * ctx.target.PageSize
-	size := arg.VmaSize
-	if size == 0 && arg.Res != nil {
-		size = arg.Res.Size()
-	}
-	if arg.Address >= maxMem || arg.Address+size > maxMem {
-		return fmt.Errorf("ptr %v has bad address %v/%v/%v",
-			arg.Type().Name(), arg.Address, arg.VmaSize, size)
-	}
 	switch typ := arg.Type().(type) {
 	case *VmaType:
 		if arg.Res != nil {
@@ -256,5 +247,14 @@ func (arg *PointerArg) validate(ctx *validCtx) error {
 	default:
 		return fmt.Errorf("ptr arg %v has bad type %v", arg, typ.Name())
 	}
+	maxMem := ctx.target.NumPages * ctx.target.PageSize
+	size := arg.VmaSize
+	if size == 0 && arg.Res != nil {
+		size = arg.Res.Size()
+	}
+	if arg.Address >= maxMem || arg.Address+size > maxMem {
+		return fmt.Errorf("ptr %v has bad address %v/%v/%v",
+			arg.Type().Name(), arg.Address, arg.VmaSize, size)
+	}
 	return nil
 }
-- 
cgit mrf-deployment