From 4af77dd891ccbe696a23d58b6cd8194d337a0ab1 Mon Sep 17 00:00:00 2001 From: Florian Hahn Date: Thu, 11 Jul 2019 09:57:00 +0000 Subject: [PATCH] [BitcodeReader] Validate OpNum, before accessing Record array. Currently invalid bitcode files can cause a crash, when OpNum exceeds the number of elements in Record, like in the attached bitcode file. The test case was generated by clusterfuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15698 Reviewers: t.p.northover, thegameg, jfb Reviewed By: jfb Differential Revision: https://reviews.llvm.org/D64507 git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@365750 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Bitcode/Reader/BitcodeReader.cpp | 4 ++++ test/Bitcode/Inputs/invalid-fcmp-opnum.bc | Bin 0 -> 908 bytes test/Bitcode/invalid.test | 5 +++++ 3 files changed, 9 insertions(+) create mode 100644 test/Bitcode/Inputs/invalid-fcmp-opnum.bc diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp index 0ba76f0f371..0d302b7dfaa 100644 --- a/lib/Bitcode/Reader/BitcodeReader.cpp +++ b/lib/Bitcode/Reader/BitcodeReader.cpp @@ -4165,6 +4165,10 @@ Error BitcodeReader::parseFunctionBody(Function *F) { popValue(Record, OpNum, NextValueNo, LHS->getType(), RHS)) return error("Invalid record"); + if (OpNum >= Record.size()) + return error( + "Invalid record: operand number exceeded available operands"); + unsigned PredVal = Record[OpNum]; bool IsFP = LHS->getType()->isFPOrFPVectorTy(); FastMathFlags FMF; diff --git a/test/Bitcode/Inputs/invalid-fcmp-opnum.bc b/test/Bitcode/Inputs/invalid-fcmp-opnum.bc new file mode 100644 index 0000000000000000000000000000000000000000..454a14b8611ac37baabb23893b20fa275fe4b2fd GIT binary patch literal 908 zcmXX_O=uHO6rb%T*|m+6)do#;ciHU+H;rXfu$ zNYY)I=s(ITJ>=lQfd7NH96WdsX_8t)34S9zlwxQMBDDlRz=NQ(tqKi)yw6*^BpS`DUG1eOPi*^8B;F#-;V_4OThI9K+F5ji=Lrh;U=m$5mnZQgYclkDO zw&*#W0(OaZcR}eBXmj#cj3ptO+y#KJg9J(J^U)c0zQM+wL@1~D^=dwnp{CN*L}A?C z0*)^X{GNe6dxWo)xfew?E?GCiwB2fjhk zV9X%ZKMg$s^UcQ2r3SY`@a7dibm6y%ZC7W) zgZZMS&!`0@gxfADfmhX;7Q0Z~`YCK)XG`QZ>j1AA0Bksiss|rv@;yur8M?0pF;Pa9 z!2Xy301g4&mdGB{l30@iQ9|!OJYbF|Y?a?w91AMx&6P`pXaQ39ut0irk}&g6Gb%;^ w#)ZvXFJyXjP&St~&1 RUN: FileCheck --check-prefix=NONPOINTER-ATOMICRMW %s NONPOINTER-ATOMICRMW: Invalid record + +RUN: not llvm-dis -disable-output %p/Inputs/invalid-fcmp-opnum.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-FCMP-OPNUM %s + +INVALID-FCMP-OPNUM: Invalid record: operand number exceeded available operands -- 2.50.0