Verify the token for ldtoken.

	* verify.c (do_load_token): Verify table and index
	of the source token.

	Fixes #560348

diff --git a/mono/metadata/verify.c b/mono/metadata/verify.c
index cd33c1385605cdce266f8b26b3aed6757ed7531b..c4dc537d98b9a86e02403d649e0e6d1f19761045 100644 (file)
--- a/mono/metadata/verify.c
+++ b/mono/metadata/verify.c
@@ -3318,6 +3318,25 @@ do_load_token (VerifyContext *ctx, int token)
        MonoClass *handle_class;
        if (!check_overflow (ctx))
                return;
+
+       switch (token & 0xff000000) {
+       case MONO_TOKEN_TYPE_DEF:
+       case MONO_TOKEN_TYPE_REF:
+       case MONO_TOKEN_TYPE_SPEC:
+       case MONO_TOKEN_FIELD_DEF:
+       case MONO_TOKEN_METHOD_DEF:
+       case MONO_TOKEN_METHOD_SPEC:
+       case MONO_TOKEN_MEMBER_REF:
+               if (!token_bounds_check (ctx->image, token)) {
+                       ADD_VERIFY_ERROR (ctx, g_strdup_printf ("Table index out of range 0x%x for token %x for ldtoken at 0x%04x", mono_metadata_token_index (token), token, ctx->ip_offset));
+                       return;
+               }
+               break;
+       default:
+               ADD_VERIFY_ERROR (ctx, g_strdup_printf ("Invalid table 0x%x for token 0x%x for ldtoken at 0x%04x", mono_metadata_token_table (token), token, ctx->ip_offset));
+               return;
+       }
+
        handle = mono_ldtoken (ctx->image, token, &handle_class, ctx->generic_context);
        if (!handle) {
                ADD_VERIFY_ERROR (ctx, g_strdup_printf ("Invalid token 0x%x for ldtoken at 0x%04x", token, ctx->ip_offset));