fix(codesign): validate blob lengths to prevent a malformed signature panic

[jacobprezant]

This PR fixes a panic in code signature parsing that could be triggered by malformed Mach‑O files. If a CodeSignature blob (e.g., the entitlements blob) declared a length smaller than its header size, the parser computed a negative payload length and make panicked. My fix adds explicit length validation so the parser returns an error instead of panicking. Feel free to correct if needed. PoC:

package main

import (
	"encoding/binary"
	"fmt"

	"github.com/blacktop/go-macho/pkg/codesign"
)

func main() {
	b := make([]byte, 28)

	binary.BigEndian.PutUint32(b[0:], 0xfade0cc0) // MAGIC_EMBEDDED_SIGNATURE
	binary.BigEndian.PutUint32(b[4:], 28)         // total length
	binary.BigEndian.PutUint32(b[8:], 1)          // count

	binary.BigEndian.PutUint32(b[12:], 5)  // CSSLOT_ENTITLEMENTS
	binary.BigEndian.PutUint32(b[16:], 20) // offset to blob header

	binary.BigEndian.PutUint32(b[20:], 0xfade7171) // MAGIC_EMBEDDED_ENTITLEMENTS
	binary.BigEndian.PutUint32(b[24:], 0)          // invalid length

	cs, err := codesign.ParseCodeSignature(b)
	fmt.Printf("cs=%v err=%v\n", cs, err)
}

[blacktop]

Thanks for the fix! Could you also apply the same validation to parseCodeDirectory at line 244 where cdData := make([]byte, cd.BlobHeader.Length) has the same vulnerability—a maliciously large Length field could cause an OOM or panic.

[jacobprezant]

Good catch. I added the validation for parseCodeDirectory. I also patched another panic in fixupchains & hardened cpio & xar against path traversals. If you'd like to keep this PR codesign only, please let me know and I'll revert.

[blacktop]

yes those those be in their own PRs

[jacobprezant]

Reverted to only codesign fixes & made separate PRs.