From db07f4c8a7d27039cb9b8e6c850de11f91060412 Mon Sep 17 00:00:00 2001
From: George Rimar <grimar@accesssoftek.com>
Date: Wed, 25 Oct 2017 10:23:49 +0000
Subject: [PATCH] [llvm-dwarfdump] - Fix array out of bounds access crash.

This fixes possible out of bound access in
DWARFDie::getFirstChild()
which might happen when .debug_info section is corrupted,
like shown in testcase.

Differential revision: https://reviews.llvm.org/D39185


git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@316566 91177308-0d34-0410-b5e6-96231b3b80d8
---
 include/llvm/DebugInfo/DWARF/DWARFDie.h       |  6 +--
 include/llvm/DebugInfo/DWARF/DWARFUnit.h      |  1 +
 lib/DebugInfo/DWARF/DWARFDie.cpp              |  6 +++
 lib/DebugInfo/DWARF/DWARFUnit.cpp             | 11 +++++
 .../llvm-dwarfdump/X86/verify_debug_info2.s   | 42 +++++++++++++++++++
 5 files changed, 61 insertions(+), 5 deletions(-)
 create mode 100644 test/tools/llvm-dwarfdump/X86/verify_debug_info2.s

diff --git a/include/llvm/DebugInfo/DWARF/DWARFDie.h b/include/llvm/DebugInfo/DWARF/DWARFDie.h
index 9cb067a0129..75fc5995c5b 100644
--- a/include/llvm/DebugInfo/DWARF/DWARFDie.h
+++ b/include/llvm/DebugInfo/DWARF/DWARFDie.h
@@ -108,11 +108,7 @@ public:
   ///
   /// \returns a valid DWARFDie instance if this object has children or an
   /// invalid DWARFDie instance if it doesn't.
-  DWARFDie getFirstChild() const {
-    if (isValid() && Die->hasChildren())
-      return DWARFDie(U, Die + 1);
-    return DWARFDie();
-  }
+  DWARFDie getFirstChild() const;
 
   /// Dump the DIE and all of its attributes to the supplied stream.
   ///
diff --git a/include/llvm/DebugInfo/DWARF/DWARFUnit.h b/include/llvm/DebugInfo/DWARF/DWARFUnit.h
index 78f873e9840..696299fb311 100644
--- a/include/llvm/DebugInfo/DWARF/DWARFUnit.h
+++ b/include/llvm/DebugInfo/DWARF/DWARFUnit.h
@@ -372,6 +372,7 @@ public:
 
   DWARFDie getParent(const DWARFDebugInfoEntry *Die);
   DWARFDie getSibling(const DWARFDebugInfoEntry *Die);
+  DWARFDie getFirstChild(const DWARFDebugInfoEntry *Die);
 
   /// \brief Return the DIE object for a given offset inside the
   /// unit's DIE vector.
diff --git a/lib/DebugInfo/DWARF/DWARFDie.cpp b/lib/DebugInfo/DWARF/DWARFDie.cpp
index a534d3628ef..d20eabff7f0 100644
--- a/lib/DebugInfo/DWARF/DWARFDie.cpp
+++ b/lib/DebugInfo/DWARF/DWARFDie.cpp
@@ -511,6 +511,12 @@ DWARFDie DWARFDie::getSibling() const {
   return DWARFDie();
 }
 
+DWARFDie DWARFDie::getFirstChild() const {
+  if (isValid())
+    return U->getFirstChild(Die);
+  return DWARFDie();
+}
+
 iterator_range<DWARFDie::attribute_iterator> DWARFDie::attributes() const {
   return make_range(attribute_iterator(*this, false),
                     attribute_iterator(*this, true));
diff --git a/lib/DebugInfo/DWARF/DWARFUnit.cpp b/lib/DebugInfo/DWARF/DWARFUnit.cpp
index 86451faa79d..65ab5943494 100644
--- a/lib/DebugInfo/DWARF/DWARFUnit.cpp
+++ b/lib/DebugInfo/DWARF/DWARFUnit.cpp
@@ -450,6 +450,17 @@ DWARFDie DWARFUnit::getSibling(const DWARFDebugInfoEntry *Die) {
   return DWARFDie();
 }
 
+DWARFDie DWARFUnit::getFirstChild(const DWARFDebugInfoEntry *Die) {
+  if (!Die->hasChildren())
+    return DWARFDie();
+
+  // We do not want access out of bounds when parsing corrupted debug data.
+  size_t I = getDIEIndex(Die) + 1;
+  if (I >= DieArray.size())
+    return DWARFDie();
+  return DWARFDie(this, &DieArray[I]);
+}
+
 const DWARFAbbreviationDeclarationSet *DWARFUnit::getAbbreviations() const {
   if (!Abbrevs)
     Abbrevs = Abbrev->getAbbreviationDeclarationSet(AbbrOffset);
diff --git a/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s b/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s
new file mode 100644
index 00000000000..71b95579839
--- /dev/null
+++ b/test/tools/llvm-dwarfdump/X86/verify_debug_info2.s
@@ -0,0 +1,42 @@
+# RUN: llvm-mc %s -filetype obj -triple=i686-pc-linux -o %t
+# RUN: not llvm-dwarfdump -v -verify %t 2>&1 | FileCheck %s
+# CHECK: The length for this unit is too large for the .debug_info provided.
+
+## Check we do not crash when trying to parse truncated .debug_info.
+.section  .debug_info,"",@progbits
+  .long 0x1c
+  .value  0x4
+  .long  .Ldebug_abbrev0
+  .byte  0x4
+
+  .uleb128 0x1 # DW_TAG_compile_unit [1] *
+  .long  0     # DW_AT_producer [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .byte  0x4   # DW_AT_language [DW_FORM_data1] (DW_LANG_C_plus_plus)
+  .long  0     # DW_AT_name [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .long  0     # DW_AT_comp_dir [DW_FORM_strp] ( .debug_str[0x00000000] = "test")
+  .long  0     # DW_AT_low_pc [DW_FORM_addr] (0x0000000000000000)
+  .long  0     # DW_AT_high_pc [DW_FORM_data4] (0x00000000)
+
+.section  .debug_abbrev,"",@progbits
+.Ldebug_abbrev0:
+  .uleb128 0x1
+  .uleb128 0x11 # DW_TAG_compile_unit, DW_CHILDREN_yes
+  .byte  0x1
+  .uleb128 0x25 # DW_AT_producer, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x13 # DW_AT_language, DW_FORM_data1
+  .uleb128 0xb
+  .uleb128 0x3  # DW_AT_name, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x1b # DW_AT_comp_dir, DW_FORM_strp
+  .uleb128 0xe
+  .uleb128 0x11 # DW_AT_low_pc, DW_FORM_addr
+  .uleb128 0x1
+  .uleb128 0x12 # DW_AT_high_pc, DW_FORM_data4
+  .uleb128 0x6
+  .byte  0
+  .byte  0
+  .byte  0
+
+.section .debug_str,"MS",@progbits,1
+.string "test"
-- 
2.40.0