From: Filipe Cabecinhas Date: Fri, 24 Apr 2015 11:30:15 +0000 (+0000) Subject: [BitcodeReader] Fix asserts when we read a non-vector type for insert/extract/shuffle X-Git-Url: http://plrg.eecs.uci.edu/git/?a=commitdiff_plain;h=45a69610a7c13a3bd054e33742c1b2e3be52c332;p=oota-llvm.git [BitcodeReader] Fix asserts when we read a non-vector type for insert/extract/shuffle Added some additional checking for vector types + tests. Bug found with AFL fuzz. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@235710 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp index a16be24a5b5..57cd1d434dc 100644 --- a/lib/Bitcode/Reader/BitcodeReader.cpp +++ b/lib/Bitcode/Reader/BitcodeReader.cpp @@ -3646,6 +3646,8 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) { if (getValueTypePair(Record, OpNum, NextValueNo, Vec) || getValueTypePair(Record, OpNum, NextValueNo, Idx)) return Error("Invalid record"); + if (!Vec->getType()->isVectorTy()) + return Error("Invalid type for value"); I = ExtractElementInst::Create(Vec, Idx); InstructionList.push_back(I); break; @@ -3654,8 +3656,11 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) { case bitc::FUNC_CODE_INST_INSERTELT: { // INSERTELT: [ty, opval,opval,opval] unsigned OpNum = 0; Value *Vec, *Elt, *Idx; - if (getValueTypePair(Record, OpNum, NextValueNo, Vec) || - popValue(Record, OpNum, NextValueNo, + if (getValueTypePair(Record, OpNum, NextValueNo, Vec)) + return Error("Invalid record"); + if (!Vec->getType()->isVectorTy()) + return Error("Invalid type for value"); + if (popValue(Record, OpNum, NextValueNo, cast(Vec->getType())->getElementType(), Elt) || getValueTypePair(Record, OpNum, NextValueNo, Idx)) return Error("Invalid record"); @@ -3673,6 +3678,8 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) { if (getValueTypePair(Record, OpNum, NextValueNo, Mask)) return Error("Invalid record"); + if (!Vec1->getType()->isVectorTy() || !Vec2->getType()->isVectorTy()) + return Error("Invalid type for value"); I = new ShuffleVectorInst(Vec1, Vec2, Mask); InstructionList.push_back(I); break; diff --git a/test/Bitcode/Inputs/invalid-non-vector-extractelement.bc b/test/Bitcode/Inputs/invalid-non-vector-extractelement.bc new file mode 100644 index 00000000000..6fee7edad87 Binary files /dev/null and b/test/Bitcode/Inputs/invalid-non-vector-extractelement.bc differ diff --git a/test/Bitcode/Inputs/invalid-non-vector-insertelement.bc b/test/Bitcode/Inputs/invalid-non-vector-insertelement.bc new file mode 100644 index 00000000000..36271657791 Binary files /dev/null and b/test/Bitcode/Inputs/invalid-non-vector-insertelement.bc differ diff --git a/test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc b/test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc new file mode 100644 index 00000000000..6c83a4dcb76 Binary files /dev/null and b/test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc differ diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test index 1d8e14230ff..f2271e81f5b 100644 --- a/test/Bitcode/invalid.test +++ b/test/Bitcode/invalid.test @@ -78,3 +78,12 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-type.bc 2>&1 | \ RUN: FileCheck --check-prefix=ARRAY-TYPE %s ARRAY-TYPE: Array element type can't be an Array or a Blob + +RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-extractelement.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-TYPE %s +RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-insertelement.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-TYPE %s +RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-shufflevector.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-TYPE %s + +INVALID-TYPE: Invalid type for value