From ddf553bb8da207108644125d58b8570dcf179e27 Mon Sep 17 00:00:00 2001 From: Filipe Cabecinhas Date: Sat, 16 May 2015 00:33:12 +0000 Subject: [PATCH] [BitcodeReader] Don't allow INSERTVAL/EXTRACTVAL with 0 indices This would trigger an assertion later. Bug found with AFL fuzz. git-svn-id: https://llvm.org/svn/llvm-project/llvm/trunk@237494 91177308-0d34-0410-b5e6-96231b3b80d8 --- lib/Bitcode/Reader/BitcodeReader.cpp | 14 ++++++++++---- test/Bitcode/Inputs/invalid-extract-0-indices.bc | Bin 0 -> 452 bytes test/Bitcode/Inputs/invalid-insert-0-indices.bc | Bin 0 -> 452 bytes test/Bitcode/invalid.test | 10 ++++++++++ 4 files changed, 20 insertions(+), 4 deletions(-) create mode 100644 test/Bitcode/Inputs/invalid-extract-0-indices.bc create mode 100644 test/Bitcode/Inputs/invalid-insert-0-indices.bc diff --git a/lib/Bitcode/Reader/BitcodeReader.cpp b/lib/Bitcode/Reader/BitcodeReader.cpp index 743466051a1..e0800916c8c 100644 --- a/lib/Bitcode/Reader/BitcodeReader.cpp +++ b/lib/Bitcode/Reader/BitcodeReader.cpp @@ -3555,10 +3555,13 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) { if (getValueTypePair(Record, OpNum, NextValueNo, Agg)) return Error("Invalid record"); + unsigned RecSize = Record.size(); + if (OpNum == RecSize) + return Error("EXTRACTVAL: Invalid instruction with 0 indices"); + SmallVector EXTRACTVALIdx; Type *CurTy = Agg->getType(); - for (unsigned RecSize = Record.size(); - OpNum != RecSize; ++OpNum) { + for (; OpNum != RecSize; ++OpNum) { bool IsArray = CurTy->isArrayTy(); bool IsStruct = CurTy->isStructTy(); uint64_t Index = Record[OpNum]; @@ -3594,10 +3597,13 @@ std::error_code BitcodeReader::ParseFunctionBody(Function *F) { if (getValueTypePair(Record, OpNum, NextValueNo, Val)) return Error("Invalid record"); + unsigned RecSize = Record.size(); + if (OpNum == RecSize) + return Error("INSERTVAL: Invalid instruction with 0 indices"); + SmallVector INSERTVALIdx; Type *CurTy = Agg->getType(); - for (unsigned RecSize = Record.size(); - OpNum != RecSize; ++OpNum) { + for (; OpNum != RecSize; ++OpNum) { bool IsArray = CurTy->isArrayTy(); bool IsStruct = CurTy->isStructTy(); uint64_t Index = Record[OpNum]; diff --git a/test/Bitcode/Inputs/invalid-extract-0-indices.bc b/test/Bitcode/Inputs/invalid-extract-0-indices.bc new file mode 100644 index 0000000000000000000000000000000000000000..bfde5264502ad8dbccfd852cf869bd36d9e87f71 GIT binary patch literal 452 zcmZ>AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0 zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k zM9&`6j5d{ nF$U6`1)CWd7IOkwDSRMbgWQEMTNG&0)ij_AK5$Qwhk+rFfq{X$Nr8b0NDBcmd!zD1#}h1`Yyw7>lNeigR9QJB}F$U~Vl5k}h%XN#7@Jx&eml@;v8GYWa0 zG4Q_?;QP|RXUyXycj%z(xrH)m2CQIZ&C+L>ZBIDc_AuK5%_vl0U;vpXwn3rS#U+?k zM9&`6j5d{ kF$U6`1)D(xkd?v*@-@g^2(v|jCS6Sfnv?=D2`C8!05$Dl^8f$< literal 0 HcmV?d00001 diff --git a/test/Bitcode/invalid.test b/test/Bitcode/invalid.test index 2fe77989b2a..fbd1cb9f4d9 100644 --- a/test/Bitcode/invalid.test +++ b/test/Bitcode/invalid.test @@ -127,3 +127,13 @@ RUN: not llvm-dis -disable-output %p/Inputs/invalid-GCTable-overflow.bc 2>&1 | \ RUN: FileCheck --check-prefix=GCTABLE-OFLOW %s GCTABLE-OFLOW: Invalid ID + +RUN: not llvm-dis -disable-output %p/Inputs/invalid-insert-0-indices.bc 2>&1 | \ +RUN: FileCheck --check-prefix=INSERT-0-IDXS %s + +INSERT-0-IDXS: INSERTVAL: Invalid instruction with 0 indices + +RUN: not llvm-dis -disable-output %p/Inputs/invalid-extract-0-indices.bc 2>&1 | \ +RUN: FileCheck --check-prefix=EXTRACT-0-IDXS %s + +EXTRACT-0-IDXS: EXTRACTVAL: Invalid instruction with 0 indices -- 2.34.1