From a607be94caf73ac9001f2cc01bae6298d76b29ae Mon Sep 17 00:00:00 2001
From: Filipe Cabecinhas <me@filcab.net>
Date: Thu, 30 Apr 2015 00:52:42 +0000
Subject: [PATCH] Make sure we don't resize(0) when we get a fwdref with Idx ==
 UINT_MAX

Make it an error instead.

Bug found with AFL fuzz.

git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@236190 91177308-0d34-0410-b5e6-96231b3b80d8
---
 lib/Bitcode/Reader/BitcodeReader.cpp          |   4 ++++
 test/Bitcode/Inputs/invalid-too-big-fwdref.bc | Bin 0 -> 452 bytes
 test/Bitcode/invalid.test                     |   5 +++++
 3 files changed, 9 insertions(+)
 create mode 100644 test/Bitcode/Inputs/invalid-too-big-fwdref.bc

diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp
index f49a53805c9..7778125e2d4 100644
--- a/lib/Bitcode/Reader/BitcodeReader.cpp
+++ b/lib/Bitcode/Reader/BitcodeReader.cpp
@@ -790,6 +790,10 @@ Constant *BitcodeReaderValueList::getConstantFwdRef(unsigned Idx,
 }
 
 Value *BitcodeReaderValueList::getValueFwdRef(unsigned Idx, Type *Ty) {
+  // Bail out for a clearly invalid value. This would make us call resize(0)
+  if (Idx == UINT_MAX)
+    return nullptr;
+
   if (Idx >= size())
     resize(Idx + 1);
 
diff --git a/test/Bitcode/Inputs/invalid-too-big-fwdref.bc b/test/Bitcode/Inputs/invalid-too-big-fwdref.bc
new file mode 100644
index 0000000000000000000000000000000000000000..d1d51a634fc286ae62c112690d72237dac66e3b5
GIT binary patch
literal 452
zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB<yg9t8U$RK
zoF;KQwFnrASa3*qav8a(cyLWnR6Y{az$2+xq{4oJLojK@f)x(OJ}?5!=~Q4~;0Mx1
zN*tUDDXlERN=sUR#N(EQ6GVi3I(oQUT6_cylo^UyJcL|?PRKAyoMDh?JjD{mF~RbX
z(t!ye_c%{s0g^x<u}BBPaFAmIG6aFxn4>}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0
zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k
zM<kJfr_fhW!AEpM0MP10pgbr{gjo(|9AfBE<2jhY%*e8smqj4KLI5bv1;p$D0%t`M
z)f8g3@^VbiWjRzD%_t}sl*{Jg;;~IuKv3~+n}bVB3o}q9#5|DOg;^YRK>9&`6j5d{
oF$U6`1)CrK-z<0t=vh9HuR-oYm@Nu4>1rC#q!frrKuI6~0H$zcNdN!<

literal 0
HcmV?d00001

diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test
index c18ff3d3f61..077f3515128 100644
--- a/test/Bitcode/invalid.test
+++ b/test/Bitcode/invalid.test
@@ -112,3 +112,8 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-array-op-not-2nd-to-last.bc
 RUN:   FileCheck --check-prefix=ARRAY-NOT-2LAST %s
 
 ARRAY-NOT-2LAST: Array op not second to last
+
+RUN: not llvm-dis -disable-output %p/Inputs/invalid-too-big-fwdref.bc 2>&1 | \
+RUN:   FileCheck --check-prefix=HUGE-FWDREF %s
+
+HUGE-FWDREF: Invalid record
-- 
2.34.1