From 2b1f6c23bcbd88f5e7a3d6659446e45c9592cedf Mon Sep 17 00:00:00 2001 From: Bruno Cardoso Lopes Date: Sun, 8 May 2016 21:27:39 +0000 Subject: [PATCH] [Bitcode] Fix an unsigned integer overflow while parsing bitcode wrapper header Specially crafted bitcode wrapper headers can cause unsigned interger overflow and lead to crashes when wrapping around. Fix the offset check and avoid such scenarios. Writing a testcase for this would involve editing the binary to generate values that trigger the overflow, since this would never happen while generating the bitcode in regular compilation flows, so there's currently no feasible way add one. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@268881 91177308-0d34-0410-b5e6-96231b3b80d8 --- include/llvm/Bitcode/ReaderWriter.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/llvm/Bitcode/ReaderWriter.h b/include/llvm/Bitcode/ReaderWriter.h index 7a1e726dfda..1d7beb54275 100644 --- a/include/llvm/Bitcode/ReaderWriter.h +++ b/include/llvm/Bitcode/ReaderWriter.h @@ -162,9 +162,10 @@ namespace llvm { unsigned Offset = support::endian::read32le(&BufPtr[BWH_OffsetField]); unsigned Size = support::endian::read32le(&BufPtr[BWH_SizeField]); + uint64_t BitcodeOffsetEnd = (uint64_t)Offset + (uint64_t)Size; // Verify that Offset+Size fits in the file. - if (VerifyBufferSize && Offset+Size > unsigned(BufEnd-BufPtr)) + if (VerifyBufferSize && BitcodeOffsetEnd > uint64_t(BufEnd-BufPtr)) return true; BufPtr += Offset; BufEnd = BufPtr+Size; -- 2.50.1