From 45a69610a7c13a3bd054e33742c1b2e3be52c332 Mon Sep 17 00:00:00 2001 From: Filipe Cabecinhas Date: Fri, 24 Apr 2015 11:30:15 +0000 Subject: [PATCH] [BitcodeReader] Fix asserts when we read a non-vector type for insert/extract/shuffle Added some additional checking for vector types + tests. Bug found with AFL fuzz. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@235710 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Bitcode/Reader/BitcodeReader.cpp | 11 +++++++++-- .../Inputs/invalid-non-vector-extractelement.bc | Bin 0 -> 612 bytes .../Inputs/invalid-non-vector-insertelement.bc | Bin 0 -> 612 bytes .../Inputs/invalid-non-vector-shufflevector.bc | Bin 0 -> 612 bytes test/Bitcode/invalid.test | 9 +++++++++ 5 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 test/Bitcode/Inputs/invalid-non-vector-extractelement.bc create mode 100644 test/Bitcode/Inputs/invalid-non-vector-insertelement.bc create mode 100644 test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp index a16be24a5b5..57cd1d434dc 100644 --- a/lib/Bitcode/Reader/BitcodeReader.cpp +++ b/lib/Bitcode/Reader/BitcodeReader.cpp @@ -3646,6 +3646,8 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) { if (getValueTypePair(Record, OpNum, NextValueNo, Vec) || getValueTypePair(Record, OpNum, NextValueNo, Idx)) return Error("Invalid record"); + if (!Vec->getType()->isVectorTy()) + return Error("Invalid type for value"); I = ExtractElementInst::Create(Vec, Idx); InstructionList.push_back(I); break; @@ -3654,8 +3656,11 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) { case bitc::FUNC_CODE_INST_INSERTELT: { // INSERTELT: [ty, opval,opval,opval] unsigned OpNum = 0; Value *Vec, *Elt, *Idx; - if (getValueTypePair(Record, OpNum, NextValueNo, Vec) || - popValue(Record, OpNum, NextValueNo, + if (getValueTypePair(Record, OpNum, NextValueNo, Vec)) + return Error("Invalid record"); + if (!Vec->getType()->isVectorTy()) + return Error("Invalid type for value"); + if (popValue(Record, OpNum, NextValueNo, cast(Vec->getType())->getElementType(), Elt) || getValueTypePair(Record, OpNum, NextValueNo, Idx)) return Error("Invalid record"); @@ -3673,6 +3678,8 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) { if (getValueTypePair(Record, OpNum, NextValueNo, Mask)) return Error("Invalid record"); + if (!Vec1->getType()->isVectorTy() || !Vec2->getType()->isVectorTy()) + return Error("Invalid type for value"); I = new ShuffleVectorInst(Vec1, Vec2, Mask); InstructionList.push_back(I); break; diff --git a/test/Bitcode/Inputs/invalid-non-vector-extractelement.bc b/test/Bitcode/Inputs/invalid-non-vector-extractelement.bc new file mode 100644 index 0000000000000000000000000000000000000000..6fee7edad8791d81c9b158d78beea32d874c0bf5 GIT binary patch literal 612 zcmZ>AK5$Qwhk;=l0|NthlL7-1kQM@B_D1E2jwe_=*#wL%Co#70sIqcM%CU4OHSoAH zIZfhrN)a#;vEY#K)3syKB`@je^r&ED}feT0* zDV^X@NNHu6thl5FNIY&?I6*|nr>%#(CB;WTK$)SK#Y0d4XtDDYkS-vQSOjzx2pkYd zg)kV}G?*bQ0~bjMqe1Z$RPIS41A`!tZOqXibL62+nh2w9hqFb?;U1?3_R0$O;u(cJ z&lvdM3h;et;4|iNk~?%z_S{05Gy_(!vS#Ts%(f?-ZF`t)fo2pcFfeccX*UIniM%`x z#u5hN z4-hyjl9;9tvsG3=Q1NP;gG))hQo~vY(PFX uy-?qS?S<)aoTZRLtR9e?K=w2ySqQLT+5r@SxCf^0Ad%`AlX05|G7|t#XMVr{ literal 0 HcmV?d00001 diff --git a/test/Bitcode/Inputs/invalid-non-vector-insertelement.bc b/test/Bitcode/Inputs/invalid-non-vector-insertelement.bc new file mode 100644 index 0000000000000000000000000000000000000000..3627165779105cf2ca5fff8d002a52cf9801b2ce GIT binary patch literal 612 zcmZ>AK5$Qwhk;=l0|NthlL7-1kQM@B_D1E2jwe_=*#wL%Co#70sIqcM%CU4OHSoAH zIZfhrN)a#;vEY#K)3syKB`@je^r&ED}feT0* zDV^X@NNHu6thl5FNIY&?I6*|nr>%#(CB;WTK$)SK#Y0d4XtDDYkS-vQSOjzx2pkYd zg)kV}G?*bQ0~bjMqe1Z$RPIS41A`!tZOqXibL62+nh2w9hqFb?;U1?3_R0$O;u(cJ z&lvdM3h;et;4|iNk~?%z_S{05Gy_(!vS#Ts%(f?-ZF`t)fo2pcFfeccX*UIniM%`x z#u5hN z4-hyjl9;9tvsG3=Q1NP;gG))hQo~vY(PFX uy-?qS?S<)aoTZRLtR9e?K=w2ySqQLT+5r@SxCf^0Ad%`AlX05|G7|t-<9@^d literal 0 HcmV?d00001 diff --git a/test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc b/test/Bitcode/Inputs/invalid-non-vector-shufflevector.bc new file mode 100644 index 0000000000000000000000000000000000000000..6c83a4dcb767f17212daecaff09ceb17c0bdb3ba GIT binary patch literal 612 zcmZ>AK5$Qwhk;=l0|NthlL7-1kQM@B_D1E2jwe_=*#wL%Co#70sIqcM%CU4OHSoAH zIZfhrN)a#;vEY#K)3syKB`@je^r&ED}feT0* zDV^X@NNHu6thl5FNIY&?I6*|nr>%#(CB;WTK$)SK#Y0d4XtDDYkS-vQSOjzx2pkYd zg)kV}G?*bQ0~bjMqe1Z$RPIS41A`!tZOqXibL62+nh2w9hqFb?;U1?3_R0$O;u(cJ z&lvdM3h;et;4|iNk~?%z_S{05Gy_(!vS#Ts%(f?-ZF`t)fo2pcFfeccX*UIniM%`x z#u5hN z4-hyjl9;9tvsG3=Q1NP;gG))hQo~vY(PFX uy-?qS?S<)aoTZRLtR9e?K=w2ySqQLT+5r@SxCf^0Ad%`AlX05|G7|t`Uw+5{ literal 0 HcmV?d00001 diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test index 1d8e14230ff..f2271e81f5b 100644 --- a/test/Bitcode/invalid.test +++ b/test/Bitcode/invalid.test @@ -78,3 +78,12 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-type.bc 2>&1 | \ RUN: FileCheck --check-prefix=ARRAY-TYPE %s ARRAY-TYPE: Array element type can't be an Array or a Blob + +RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-extractelement.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-TYPE %s +RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-insertelement.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-TYPE %s +RUN: not llvm-dis -disable-output %p/Inputs/invalid-non-vector-shufflevector.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INVALID-TYPE %s + +INVALID-TYPE: Invalid type for value -- 2.34.1